Bundler checksum init + verify

Thong Kuahrequested to merge
bundler_checksum_init into master

What does this MR do and why?

Copied from gitlab-org/distribution/bundler-checksum!2 (closed) /cc @dustinmm80

This MR creates a new vendored gem for use within GitLab initially. The purpose of the gem is to:

  1. Lock the checksums of the gem files in a file, Gemfile.checksum
  2. Verifies checksum for downloaded gem file against the stored checksum in Gemfile.checksum

We will use this vendored gem for GitLab in a follow-up MR (generate Gemfile.checksum, etc)

Other things the new gem does not do yet:

  • automatically updating the checksum file on bundle install
  • updating the checksum file Gemfile.checksum. Require people to manually delete Gemfile.checksum, and reinit

If this experiment is successful, we will extract this gem out, and use it in all GitLab projects.

We also plan to contribute this back to Bundler => https://github.com/rubygems/rubygems/pull/5808

NOTE: This MR does not generate the Gemfile.checksum file, this will be done in a follow-up MR, following the gem's README

Why not bundler plugins ?

The plugin approach suffers from being hard to uninstall. We don't want to inflict this on end-users on GitLab production. We want to eventually merge this upstream to Bundler anyway

Also the plugin hook events are not sufficient. The before-install event fires too early, and does not give us access to the downloaded package file for verification

Related issue: #361737 (closed)

Screenshots or screen recordings

Example if checksum validation fails. See https://gitlab.com/gitlab-org/gitlab/-/jobs/2786873832 for an example also

Screen_Shot_2022-07-21_at_8.58.59_PM

How to set up and validate locally

  1. bundle exec bundler-checksum init. You should see a new Gemfile.checksum file

  2. bundle exec bundler-checksum verify

  3. Modify Gemfile.checksum to have a bad checksum for sigdump

  4. Add the following to the top of Gemfile

    $:.unshift(File.expand_path('vendor/gems/bundler-checksum/lib', __dir__))
require 'bundler-checksum'
Bundler::Checksum.patch!

  5. gem uninstall sigdump && bundle install. You should see an error

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Thong Kuah

Merge request reports