Bundler Checksum removed if you get bundler from rubygems, vs from gem install bundler

[broksonic21]

Describe the problem as clearly as you can

After updating RubyGems (which ships a new bundler) and then running bundle update --bundler to bump BUNDLED WITH, the previous bundler version's self-entry is removed from the Gemfile.lock CHECKSUMS block — but the new bundler version's self-entry is not added. All other gems' checksum entries are preserved.

This is a fallout of #9366 and is causing lockfile churn for all our engineers.

The result is a CHECKSUMS block that's missing exactly one line: the bundler self-checksum for the version recorded in BUNDLED WITH. Subsequent bundle install and bundle lock --add-checksums runs do not re-add it.

This produces noisy lockfile churn across contributors: anyone preparing a bundler bump PR ships a lockfile missing the bundler self-checksum.

Did you try upgrading rubygems & bundler?

Yes — this reproduces on the latest. RubyGems 4.0.12 / Bundler 4.0.12

Post steps to reproduce the problem

100% reproducible:

1. Start from a project whose Gemfile.lock has BUNDLED WITH 4.0.11 and a CHECKSUMS block containing a bundler (4.0.11) sha256=… entry.
2. gem update --system to upgrade RubyGems to 4.0.12 (which ships Bundler 4.0.12).
3. bundle update --bundler.
4. Diff Gemfile.lock.

Result: BUNDLED WITH becomes 4.0.12, the old bundler (4.0.11) checksum line is removed from CHECKSUMS, and no bundler (4.0.12) checksum line is added.

Follow-up bundle install and bundle lock --add-checksums do not re-add the missing entry.

Which command did you run?

gem update --system
bundle update --bundler

What were you expecting to happen?

After bundle update --bundler bumps BUNDLED WITH, the CHECKSUMS block should contain a bundler self-entry for the new version — the same way checksum entries are preserved/refreshed for every other gem in the lockfile.

What happened instead?

The old bundler self-entry is stripped from CHECKSUMS and no new entry takes its place. BUNDLED WITH updates correctly. No other CHECKSUMS lines change. Subsequent bundle install / bundle lock --add-checksums do not recover the missing line.

Unless you are on a machine that's run gem install bundler - then it does.
OR if you ran bundle update --bundler before gem update --system

issue appears to be here:

The relevant code is in lib/bundler/source/metadata.rb lines 13–30:

if local_spec = Gem.loaded_specs["bundler"]
  raise CorruptBundlerInstallError.new(local_spec) if local_spec.version.to_s != Bundler::VERSION
  idx << local_spec
else
  idx << Gem::Specification.new do |s|
    s.name     = "bundler"
    s.version  = VERSION
    ...
    s.loaded_from = SharedHelpers.gemspec_path
  end
end

The fabricated Gem::Specification in the else branch has no source and never gets a checksum recorded in the store. When bundler was installed via gem install bundler it lands in Gem.loaded_specs with full provenance and a checksum is available; when it was only delivered via gem update --system (rubygems-vendored bundler), the else branch fires and no self-checksum is ever emitted to the lockfile.

bundle env output

Bundler       4.0.12
  Platforms   ruby, arm64-darwin-25
RubyGems      4.0.12