Bundler 4.0.11 does not write its own digest in the `CHECKSUMS` section of the lockfile

[callmesangio]

Describe the problem as clearly as you can

Hi,

IIUC, bundler 4.0.11 should write its own digest in the CHECKSUMS section of Gemfile.lock.
This was implemented in #9366 and it's also documented in the changelog, but I wasn't able to get it working.

Did you try upgrading rubygems & bundler?

Yes, I'm on 4.0.11 of both.

Post steps to reproduce the problem

Ruby is installed via mise.

Bundler config:

$ bundle config list
Settings are listed in order of priority. The top value will be used.
clean
Set for the current user (/Users/fabio/.bundle/config): true

path
Set for the current user (/Users/fabio/.bundle/config): ".bundle"

Versions:

$ gem --version
4.0.11

$ bundle --version
4.0.11

$ ruby --version
ruby 3.4.9 (2026-03-11 revision 76cca827ab) +PRISM [x86_64-darwin24]

Which command did you run?

$ bundle init
Writing new Gemfile to /Volumes/projects/new-ruby-project/Gemfile
$ bundle add uri
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Fetching gem metadata from https://rubygems.org/.
Fetching uri 1.1.1
Installing uri 1.1.1

What were you expecting to happen?

My expectation is that bundler should write its own digest in the lockfile.

What happened instead?

The lockfile includes only the checksum of the installed gem.
The same happens upgrading an existing project to bundler 4.0.11 via bundler update --bundler.

$ cat -p Gemfile.lock
GEM
  remote: https://rubygems.org/
  specs:
    uri (1.1.1)

PLATFORMS
  ruby
  x86_64-darwin-24

DEPENDENCIES
  uri (~> 1.1)

CHECKSUMS
  uri (1.1.1) sha256=379fa58d27ffb1387eaada68c749d1426738bd0f654d812fcc07e7568f5c57c6

BUNDLED WITH
  4.0.11

If not included with the output of your command, run bundle env and paste the output below

Environment

Bundler       4.0.11
  Platforms   ruby, x86_64-darwin-24
Ruby          3.4.9p82 (2026-03-11 revision 76cca827ab52ab1d346a728f068d5b8da3e2952b) [x86_64-darwin-24]
  Full Path   /Users/fabio/.local/share/mise/installs/ruby/3.4.9/bin/ruby
  Config Dir  /Users/fabio/.local/share/mise/installs/ruby/3.4.9/etc
RubyGems      4.0.11
  Gem Home    /Users/fabio/.local/share/mise/installs/ruby/3.4.9/lib/ruby/gems/3.4.0
  Gem Path    /Users/fabio/.gem/ruby/3.4.0:/Users/fabio/.local/share/mise/installs/ruby/3.4.9/lib/ruby/gems/3.4.0
  User Home   /Users/fabio
  User Path   /Users/fabio/.gem/ruby/3.4.0
  Bin Dir     /Users/fabio/.local/share/mise/installs/ruby/3.4.9/bin
Tools         
  Git         2.54.0
  RVM         not installed
  rbenv       not installed
  chruby      not installed

Bundler Build Metadata

Timestamp  2026-04-30
Git SHA    b7155a3865

Bundler settings

clean
  Set for the current user (/Users/fabio/.bundle/config): true
path
  Set for the current user (/Users/fabio/.bundle/config): ".bundle"

Gemfile

Gemfile

# frozen_string_literal: true

source "https://rubygems.org"

# gem "rails"

gem "uri", "~> 1.1"

Gemfile.lock

GEM
  remote: https://rubygems.org/
  specs:
    uri (1.1.1)

PLATFORMS
  ruby
  x86_64-darwin-24

DEPENDENCIES
  uri (~> 1.1)

CHECKSUMS
  uri (1.1.1) sha256=379fa58d27ffb1387eaada68c749d1426738bd0f654d812fcc07e7568f5c57c6

BUNDLED WITH
  4.0.11

[hsbt]

Could you try gem install bundler:4.0.11 and run bundle add again?

When bundler is updated via gem update --system, it's installed as a default gem and bundler-4.0.11.gem isn't kept in the cache directory, so the checksum step is skipped. Installing it explicitly should leave the .gem in your cache and let the lockfile pick up the bundler digest.

[callmesangio]

Hi @hsbt, thanks for the tip.

This works (note: no need to run bundle add):

$ mise x ruby@3.4.9 -- gem install bundler:4.0.11
Fetching bundler-4.0.11.gem
Successfully installed bundler-4.0.11
1 gem installed

$ bundle init
Writing new Gemfile to /Volumes/projects/new-ruby-project/Gemfile

$ bundle lock
Writing lockfile to /Volumes/projects/new-ruby-project/Gemfile.lock
Resolving dependencies...

$ cat Gemfile.lock
GEM
  remote: https://rubygems.org/
  specs:

PLATFORMS
  ruby
  x86_64-darwin-24

DEPENDENCIES

CHECKSUMS
  bundler (4.0.11) sha256=5bcec0fb78302e48d02ee46f10ee6e6942be647ba5b44a6d1ddfda9a240ce785

BUNDLED WITH
  4.0.11

So yes, the problem is the digest gets added only if bundler is installed (also) as a regular gem. The default one is not enough.
I can also confirm that removing the regular bundler gem reverts the behavior back to no digest.

Installing the regular gem is fine as a workaround but maybe a little unexpected as a hard requirement.

[hsbt]

Thanks for your confirmation. I will consider how fix with your case. /cc @Edouard-chin

[Edouard-chin]

Ah sorry I didn't know that gem update --system doesn't keep a .gem cache.

I'll think about a solution when I'm back at work next week.

Thanks for trying out the new feature and reporting the issue !

[chaadow]

just FYI, I have the same issue, and manually running gem install bundler:4.0.11 as suggested fixed the issue ( and I did update bundler with gem update --system, so I believe I have I have a similar issue as @callmesangio )

[hsbt]

@Edouard-chin I remember with #9119 (Fedora RPM case), I think it's the same fundamental limit.

A checksum only has meaning for .gem bytes that came from rubygems.org. With gem update --system or fresh install of Ruby, bundler is locally install without gem install. So the local sha256 won't match what rubygems.org publishes.

I think we should document this limitation rather than record a local-build checksum. What do you think this?

[Edouard-chin]

[...] A checksum only has meaning for .gem bytes that came from rubygems.org.

Hmm, that's a good point. I'm a bit on the fence on what to do here. I think, technically the checksum is going to be the same. When gem update --system runs and we end up downloading rubygems-update.gem (which contains the original source code of the released bundler.gem on rubygems.org), we then package the bundler source code into its own gem

rubygems/lib/rubygems/commands/setup_command.rb

Line 394 in 5869518

built_gem = Gem::Package.build(new_bundler_spec)

We could cache this .gem tarball (right now we build it temporarily and destroy it right after), which would allow us to compute a checksum.
But I find strange that the checksum would come from a .gem we built (even though we trust its source), rather than .gem that directly comes from rubygems.org.

I think we should document this limitation rather than record a local-build checksum. What do you think this?

I think I agree with you here, it feels safer to ask users to download the bundler gem from rubygems.org in order to opt-in to the checksum feature.