[rubygems/rubygems] Improve errors and register checksums reliably

Improve error reporting for checksums, raises a new error class.

Solve for multi-source checksum errors.

Add CHECKSUMS to tool/bundler/(dev|standard|rubocop)26_gems.rb

https://github.com/rubygems/rubygems/commit/26ceee0e76

Co-authored-by: Samuel Giddins <segiddins@segiddins.me>

1 files changed, 27 insertions, 24 deletions

diff --git a/spec/bundler/bundler/lockfile_parser_spec.rb b/spec/bundler/bundler/lockfile_parser_spec.rb
index c05d5a01d1..a42bdad6e4 100644
--- a/spec/bundler/bundler/lockfile_parser_spec.rb
+++ b/spec/bundler/bundler/lockfile_parser_spec.rb
@@ -119,6 +119,12 @@ RSpec.describe Bundler::LockfileParser do
     let(:bundler_version) { Gem::Version.new("1.12.0.rc.2") }
     let(:ruby_version) { "ruby 2.1.3p242" }
     let(:lockfile_path) { Bundler.default_lockfile.relative_path_from(Dir.pwd) }
+    let(:rake_checksum) do
+      Bundler::Checksum.from_lock(
+        "sha256-814828c34f1315d7e7b7e8295184577cc4e969bad6156ac069d02d63f58d82e8",
+        "#{lockfile_path}:??:1"
+      )
+    end
 
     shared_examples_for "parsing" do
       it "parses correctly" do
@@ -129,11 +135,9 @@ RSpec.describe Bundler::LockfileParser do
         expect(subject.platforms).to eq platforms
         expect(subject.bundler_version).to eq bundler_version
         expect(subject.ruby_version).to eq ruby_version
-        checksums = subject.sources.last.checksum_store.checksums("rake-10.3.2")
-        expect(checksums.size).to eq(1)
-        expected_checksum = Bundler::Checksum.new("sha256", "814828c34f1315d7e7b7e8295184577cc4e969bad6156ac069d02d63f58d82e8", "#{lockfile_path}:??:1")
-        expect(checksums.first).to be_match(expected_checksum)
-        expect(checksums.first.sources.first).to match(/#{Regexp.escape(lockfile_path.to_s)}:\d+:\d+/)
+        checksum = subject.sources.last.checksum_store.fetch(specs.last)
+        expect(checksum).to be_match(rake_checksum)
+        expect(checksum.sources.first.to_s).to match(/the lockfile CHECKSUMS at #{Regexp.escape(lockfile_path.to_s)}:\d+:\d+/)
       end
     end
 
@@ -159,29 +163,28 @@ RSpec.describe Bundler::LockfileParser do
       include_examples "parsing"
     end
 
-    context "when CHECKSUMS has duplicate checksums that don't match" do
-      let(:lockfile_contents) { super().split(/(?<=CHECKSUMS\n)/m).insert(1, "  rake (10.3.2) sha256-69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b6\n").join }
+    context "when CHECKSUMS has duplicate checksums in the lockfile that don't match" do
+      let(:bad_checksum) { "sha256-c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11" }
+      let(:lockfile_contents) { super().split(/(?<=CHECKSUMS\n)/m).insert(1, "  rake (10.3.2) #{bad_checksum}\n").join }
 
       it "raises a security error" do
         expect { subject }.to raise_error(Bundler::SecurityError) do |e|
           expect(e.message).to match <<~MESSAGE
-            Bundler found multiple different checksums for rake-10.3.2.
-            This means that there are multiple different `rake-10.3.2.gem` files.
-            This is a potential security issue, since Bundler could be attempting to install a different gem than what you expect.
-
-            sha256-814828c34f1315d7e7b7e8295184577cc4e969bad6156ac069d02d63f58d82e8 (from #{lockfile_path}:21:1 CHECKSUMS rake (10.3.2))
-            sha256-69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b6 from:
-            * #{lockfile_path}:20:1 CHECKSUMS rake (10.3.2)
-
-            To resolve this issue:
-            1. delete any downloaded gems referenced above
-            2. run `bundle install`
-
-            If you are sure that the new checksum is correct, you can remove the `rake-10.3.2` entry under the lockfile `CHECKSUMS` section and rerun `bundle install`.
-
-            If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:
-            1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification
-            2. run `bundle install`
+            Bundler found mismatched checksums. This is a potential security risk.
+              rake (10.3.2) #{bad_checksum}
+                from the lockfile CHECKSUMS at #{lockfile_path}:20:17
+              rake (10.3.2) #{rake_checksum.to_lock}
+                from the lockfile CHECKSUMS at #{lockfile_path}:21:17
+
+            To resolve this issue you can either:
+              1. remove the matching checksum in #{lockfile_path}:21:17
+              2. run `bundle install`
+            or if you are sure that the new checksum from the lockfile CHECKSUMS at #{lockfile_path}:21:17 is correct:
+              1. remove the matching checksum in #{lockfile_path}:20:17
+              2. run `bundle install`
+
+            To ignore checksum security warnings, disable checksum validation with
+              `bundle config set --local disable_checksum_validation true`
           MESSAGE
         end
       end