Merge pull request #9004 from Edouard-chin/ec-checksum-fix

hsbt · web-flow · commit 66c94f65c8a0 · 2025-10-15T18:54:17.000+09:00
Add checksum of gems hosted on private servers:
diff --git a/bundler/lib/bundler/definition.rb b/bundler/lib/bundler/definition.rb
@@ -540,7 +540,18 @@ def add_checksums
 
       setup_domain!(add_checksums: true)
 
-      specs # force materialization to real specifications, so that checksums are fetched
+      # force materialization to real specifications, so that checksums are fetched
+      specs.each do |spec|
+        next unless spec.source.is_a?(Bundler::Source::Rubygems)
+        # Checksum was fetched from the compact index API.
+        next if !spec.source.checksum_store.missing?(spec) && !spec.source.checksum_store.empty?(spec)
+        # The gem isn't installed, can't compute the checksum.
+        next unless spec.loaded_from
+
+        package = Gem::Package.new(spec.source.cached_built_in_gem(spec))
+        checksum = Checksum.from_gem_package(package)
+        spec.source.checksum_store.register(spec, checksum)
+      end
     end
 
     private
diff --git a/bundler/spec/commands/lock_spec.rb b/bundler/spec/commands/lock_spec.rb
@@ -2174,6 +2174,97 @@
     L
   end
 
+  it "add checksums for gems installed on disk" do
+    build_repo4 do
+      build_gem "warning", "18.0.0"
+    end
+
+    bundle "config lockfile_checksums false"
+
+    simulate_platform "x86_64-linux" do
+      install_gemfile(<<-G, artifice: "endpoint")
+        source "https://gem.repo4"
+
+        gem "warning"
+      G
+
+      bundle "config --delete lockfile_checksums"
+      bundle("lock --add-checksums", artifice: "endpoint")
+    end
+
+    checksums = checksums_section do |c|
+      c.checksum gem_repo4, "warning", "18.0.0"
+    end
+
+    expect(lockfile).to eq <<~L
+      GEM
+        remote: https://gem.repo4/
+        specs:
+          warning (18.0.0)
+
+      PLATFORMS
+        ruby
+        x86_64-linux
+
+      DEPENDENCIES
+        warning
+      #{checksums}
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+  end
+
+  it "doesn't add checksum for gems not installed on disk" do
+    lockfile(<<~L)
+      GEM
+        remote: https://gem.repo4/
+        specs:
+          warning (18.0.0)
+
+      PLATFORMS
+        #{local_platform}
+
+      DEPENDENCIES
+        warning
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+
+    gemfile(<<~G)
+      source "https://gem.repo4"
+
+      gem "warning"
+    G
+
+    build_repo4 do
+      build_gem "warning", "18.0.0"
+    end
+
+    FileUtils.rm_rf("#{gem_repo4}/gems")
+
+    bundle("lock --add-checksums", artifice: "endpoint")
+
+    expect(lockfile).to eq <<~L
+      GEM
+        remote: https://gem.repo4/
+        specs:
+          warning (18.0.0)
+
+      PLATFORMS
+        #{local_platform}
+
+      DEPENDENCIES
+        warning
+
+      CHECKSUMS
+        warning (18.0.0)
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+  end
+
   context "when re-resolving to include prereleases" do
     before do
       build_repo4 do
