diff options
| author | The Bundler Bot <bot@bundler.io> | 2016-11-19 03:52:58 +0000 |
|---|---|---|
| committer | The Bundler Bot <bot@bundler.io> | 2016-11-19 03:52:58 +0000 |
| commit | d46522577ff6b09909d6113db3cd9ff059a45445 (patch) | |
| tree | 49b63f7cd7d6c8817f9fb321a991f1508ce8b4cd | |
| parent | da2dc28fc3070475a4f258cabfa4a054d0e88a37 (diff) | |
| parent | da6dcf4c2f89cfc6b15f1078104c2929fb2ef954 (diff) | |
| download | bundler-d46522577ff6b09909d6113db3cd9ff059a45445.tar.gz | |
Auto merge of #5119 - hmistry:explain-checksum-mismatch, r=segiddins
Improve gem checksum mismatch error message
Improve gem checksum mismatch error message by telling users how to resolve it.
Old message:
```
The checksum for the downloaded `rack-1.0.0.gem` did not match the checksum given by the API. This means that the contents of the gem appear to be different from what was uploaded, and could be an indicator of a security issue.
(The expected SHA256 checksum was "abababababababababababababababababababababab", but the checksum for the downloaded gem was "BR6Oc6Gqnq93u1aIVX4m6DvTHaFgFxdYaLUfa4ekJKI=".)
Bundler cannot continue installing rack (1.0.0).
```
New message:
```
Bundler cannot continue installing rack (1.0.0).
The checksum for the downloaded `rack-1.0.0.gem` does not match the checksum given by the server. This means the contents of the downloaded gem is different from what was uploaded to the server, and could be a potential security issue.
To resolve this issue:
1. delete the downloaded gem located at: `full-path/gems/rack-1.0.0/rack-1.0.0.gem`
2. run `bundle install`
If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:
1. run `bundle config disable.checksum_validaiton true` to turn off checksum verification
2. run `bundle install`
(More info: The expected SHA256 checksum was "abababababababababababababababababababababab", but the checksum for the downloaded gem was "PbfaoemSetv76QdcxuoP0ggZ0TZhMELlMMWURJoX+dw=".)
```
Closes #5075
| -rw-r--r-- | lib/bundler/rubygems_gem_installer.rb | 24 | ||||
| -rw-r--r-- | spec/install/gems/compact_index_spec.rb | 15 |
2 files changed, 29 insertions, 10 deletions
diff --git a/lib/bundler/rubygems_gem_installer.rb b/lib/bundler/rubygems_gem_installer.rb index 28ad988b94..356e2e4470 100644 --- a/lib/bundler/rubygems_gem_installer.rb +++ b/lib/bundler/rubygems_gem_installer.rb @@ -31,12 +31,24 @@ module Bundler send(checksum_type(checksum), digest) end unless digest == checksum - raise SecurityError, - "The checksum for the downloaded `#{spec.full_name}.gem` did not match " \ - "the checksum given by the API. This means that the contents of the " \ - "gem appear to be different from what was uploaded, and could be an indicator of a security issue.\n" \ - "(The expected SHA256 checksum was #{checksum.inspect}, but the checksum for the downloaded gem was #{digest.inspect}.)\n" \ - "Bundler cannot continue installing #{spec.name} (#{spec.version})." + raise SecurityError, <<-MESSAGE + Bundler cannot continue installing #{spec.name} (#{spec.version}). + The checksum for the downloaded `#{spec.full_name}.gem` does not match \ + the checksum given by the server. This means the contents of the downloaded \ + gem is different from what was uploaded to the server, and could be a potential security issue. + + To resolve this issue: + 1. delete the downloaded gem located at: `#{spec.gem_dir}/#{spec.full_name}.gem` + 2. run `bundle install` + + If you wish to continue installing the downloaded gem, and are certain it does not pose a \ + security issue despite the mismatching checksum, do the following: + 1. run `bundle config disable.checksum_validation true` to turn off checksum verification + 2. run `bundle install` + + (More info: The expected SHA256 checksum was #{checksum.inspect}, but the \ + checksum for the downloaded gem was #{digest.inspect}.) + MESSAGE end true end diff --git a/spec/install/gems/compact_index_spec.rb b/spec/install/gems/compact_index_spec.rb index 001118b513..257a2590a8 100644 --- a/spec/install/gems/compact_index_spec.rb +++ b/spec/install/gems/compact_index_spec.rb @@ -713,12 +713,19 @@ The checksum of /versions does not match the checksum provided by the server! So source "#{source_uri}" gem "rack" G + expect(exitstatus).to eq(19) if exitstatus expect(out). - to include("The checksum for the downloaded `rack-1.0.0.gem` did not match the checksum given by the API."). - and include("This means that the contents of the gem appear to be different from what was uploaded, and could be an indicator of a security issue."). - and match(/\(The expected SHA256 checksum was "#{"ab" * 22}", but the checksum for the downloaded gem was ".+?"\.\)/). - and include("Bundler cannot continue installing rack (1.0.0).") + to include("Bundler cannot continue installing rack (1.0.0)."). + and include("The checksum for the downloaded `rack-1.0.0.gem` does not match the checksum given by the server."). + and include("This means the contents of the downloaded gem is different from what was uploaded to the server, and could be a potential security issue."). + and include("To resolve this issue:"). + and include("1. delete the downloaded gem located at: `#{system_gem_path}/gems/rack-1.0.0/rack-1.0.0.gem`"). + and include("2. run `bundle install`"). + and include("If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:"). + and include("1. run `bundle config disable.checksum_validation true` to turn off checksum verification"). + and include("2. run `bundle install`"). + and match(/\(More info: The expected SHA256 checksum was "#{"ab" * 22}", but the checksum for the downloaded gem was ".+?"\.\)/) end it "raises when the checksum is the wrong length" do |