[rubygems/rubygems] Refactor to checksums stored via source

This gets the specs passing, and handles the fact that we expect checkums to be pinned only to a particular source This also avoids reading in .gem files during lockfile generation, instead allowing us to query the source for each resolved gem to grab the checksum Finally, this opens up a route to having user-stored checksum databases, similar to how other package managers do this! Add checksums to dev lockfiles Handle full name conflicts from different original_platforms when adding checksums to store from compact index Specs passing on Bundler 3 https://github.com/rubygems/rubygems/commit/86c7084e1c
author: Samuel Giddins <segiddins@segiddins.me> 2023-08-09 13:45:56 -0700
committer: Hiroshi SHIBATA <hsbt@ruby-lang.org> 2023-10-23 13:59:01 +0900
commit: c5fd94073ff2e22b6eea29c242c7e4a12ed7c865 (patch)
tree: 327479235e44b16b1dd927b3d6b8b53b36bdc8c8 /spec/bundler/install/gems/compact_index_spec.rb
parent: 69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46 (diff)
1 files changed, 27 insertions, 12 deletions
diff --git a/spec/bundler/install/gems/compact_index_spec.rb b/spec/bundler/install/gems/compact_index_spec.rb
index 20e3d93175..f723c0da73 100644
--- a/spec/bundler/install/gems/compact_index_spec.rb
+++ b/spec/bundler/install/gems/compact_index_spec.rb
@@ -882,18 +882,33 @@ The checksum of /versions does not match the checksum provided by the server! So
         gem "rack"
       G
 
+      api_checksum = Spec::Checksums::ChecksumsBuilder.new.repo_gem(gem_repo1, "rack", "1.0.0").first.checksums.fetch("sha256")
+
+      gem_path = if Bundler.feature_flag.global_gem_cache?
+        default_cache_path.dirname.join("cache", "gems", "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "rack-1.0.0.gem")
+      else
+        default_cache_path.dirname.join("rack-1.0.0.gem")
+      end
+
       expect(exitstatus).to eq(19)
       expect(err).
-        to  include("Bundler cannot continue installing rack (1.0.0).").
-        and include("The checksum for the downloaded `rack-1.0.0.gem` does not match the checksum given by the server.").
-        and include("This means the contents of the downloaded gem is different from what was uploaded to the server, and could be a potential security issue.").
-        and include("To resolve this issue:").
-        and include("1. delete the downloaded gem located at: `#{default_bundle_path}/gems/rack-1.0.0/rack-1.0.0.gem`").
-        and include("2. run `bundle install`").
-        and include("If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:").
-        and include("1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification").
-        and include("2. run `bundle install`").
-        and match(/\(More info: The expected SHA256 checksum was "#{"ab" * 22}", but the checksum for the downloaded gem was ".+?"\.\)/)
+        to eq <<~E.strip
+          Bundler cannot continue installing rack (1.0.0).
+          The checksum for the downloaded `rack-1.0.0.gem` does not match the known checksum for the gem.
+          This means the contents of the downloaded gem is different from what was uploaded to the server or first used by your teammates, and could be a potential security issue.
+
+          To resolve this issue:
+          1. delete the downloaded gem located at: `#{gem_path}`
+          2. run `bundle install`
+
+          If you are sure that the new checksum is correct, you can remove the `rack (1.0.0)` entry under the lockfile `CHECKSUMS` section and rerun `bundle install`.
+
+          If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:
+          1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification
+          2. run `bundle install`
+
+          (More info: The expected SHA256 checksum was "69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b", but the checksum for the downloaded gem was "#{api_checksum}". The expected checksum came from: API response from http://localgemserver.test/)
+        E
     end
 
     it "raises when the checksum is the wrong length" do
@@ -901,8 +916,8 @@ The checksum of /versions does not match the checksum provided by the server! So
         source "#{source_uri}"
         gem "rack"
       G
-      expect(exitstatus).to eq(5)
-      expect(err).to include("The given checksum for rack-1.0.0 (\"checksum!\") is not a valid SHA256 hexdigest nor base64digest")
+      expect(exitstatus).to eq(14)
+      expect(err).to include("The given checksum for rack-0.9.1 (\"checksum!\") is not a valid SHA256 hexdigest nor base64digest")
     end
 
     it "does not raise when disable_checksum_validation is set" do
author	Samuel Giddins <segiddins@segiddins.me>	2023-08-09 13:45:56 -0700
committer	Hiroshi SHIBATA <hsbt@ruby-lang.org>	2023-10-23 13:59:01 +0900
commit	c5fd94073ff2e22b6eea29c242c7e4a12ed7c865 (patch)
tree	327479235e44b16b1dd927b3d6b8b53b36bdc8c8 /spec/bundler/install/gems/compact_index_spec.rb
parent	69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46 (diff)