Lock the checksum of Bundler itself in the lockfile

bundler/lib/bundler/definition.rb

@@ -988,6 +988,8 @@ def converge_sources
         end
       end
 
+      sources.metadata_source.checksum_store.merge!(@locked_gems.metadata_source.checksum_store) if @locked_gems
+
       changes
     end
 

bundler/lib/bundler/lockfile_generator.rb

@@ -71,7 +71,8 @@ def add_checksums
       checksums = definition.resolve.map do |spec|
         spec.source.checksum_store.to_lock(spec)
       end
-      add_section("CHECKSUMS", checksums)
+
+      add_section("CHECKSUMS", checksums + bundler_checksum)
     end
 
     def add_locked_ruby_version
@@ -100,5 +101,19 @@ def add_section(name, value)
         raise ArgumentError, "#{value.inspect} can't be serialized in a lockfile"
       end
     end
+
+    def bundler_checksum
+      return [] if Bundler.gem_version.to_s.end_with?(".dev")
+
+      require "rubygems/package"
+
+      bundler_spec = definition.sources.metadata_source.specs.search(["bundler", Bundler.gem_version]).last
+      return [] unless File.exist?(bundler_spec.cache_file)
+
+      package = Gem::Package.new(bundler_spec.cache_file)
+      definition.sources.metadata_source.checksum_store.register(bundler_spec, Checksum.from_gem_package(package))
+
+      [definition.sources.metadata_source.checksum_store.to_lock(bundler_spec)]
+    end
   end
 end

bundler/lib/bundler/lockfile_parser.rb

@@ -28,6 +28,7 @@ def to_s
 
     attr_reader(
       :sources,
+      :metadata_source,
       :dependencies,
       :specs,
       :platforms,
@@ -97,6 +98,7 @@ def self.bundled_with
     def initialize(lockfile, strict: false)
       @platforms    = []
       @sources      = []
+      @metadata_source = Source::Metadata.new
       @dependencies = {}
       @parse_method = nil
       @specs        = {}
@@ -252,7 +254,12 @@ def parse_checksum(line)
       version = Gem::Version.new(version)
       platform = platform ? Gem::Platform.new(platform) : Gem::Platform::RUBY
       full_name = Gem::NameTuple.new(name, version, platform).full_name
-      return unless spec = @specs[full_name]
+      spec = @specs[full_name]
+
+      if name == "bundler"
+        spec ||= LazySpecification.new(name, version, platform, @metadata_source)
+      end
+      return unless spec
 
       if checksums
         checksums.split(",") do |lock_checksum|

bundler/lib/bundler/source/metadata.rb

@@ -58,6 +58,10 @@ def hash
       def version_message(spec)
         "#{spec.name} #{spec.version}"
       end
+
+      def checksum_store
+        @checksum_store ||= Checksum::Store.new
+      end
     end
   end
 end

bundler/spec/commands/lock_spec.rb

@@ -2295,6 +2295,10 @@
 
     bundle("lock --add-checksums", artifice: "endpoint")
 
+    checksums = checksums_section_when_enabled do |c|
+      c.no_checksum "warning", "18.0.0"
+    end
+
     expect(lockfile).to eq <<~L
       GEM
         remote: https://gem.repo4/
@@ -2306,10 +2310,7 @@
 
       DEPENDENCIES
         warning
-
-      CHECKSUMS
-        warning (18.0.0)
-
+      #{checksums}
       BUNDLED WITH
         #{Bundler::VERSION}
     L

bundler/spec/commands/update_spec.rb

@@ -1419,9 +1419,7 @@
          #{lockfile_platforms}
 
        DEPENDENCIES
-
-       CHECKSUMS
-
+       #{checksums_section_when_enabled}
        RUBY VERSION
          #{Bundler::RubyVersion.system}
 
@@ -1537,6 +1535,7 @@
 
     checksums = checksums_section do |c|
       c.checksum(gem_repo4, "myrack", "1.0")
+      c.checksum(gem_repo4, "bundler", "999.0.0")
     end
 
     install_gemfile <<-G
@@ -1621,6 +1620,7 @@
 
     checksums = checksums_section do |c|
       c.checksum(gem_repo4, "myrack", "1.0")
+      c.checksum(gem_repo4, "bundler", "9.9.9")
     end
 
     install_gemfile <<-G
@@ -1745,6 +1745,7 @@
     # Only updates properly on modern RubyGems.
     checksums = checksums_section_when_enabled do |c|
       c.checksum(gem_repo4, "myrack", "1.0")
+      c.checksum(local_gem_path, "bundler", "9.0.0", Gem::Platform::RUBY, "cache")
     end
 
     expect(lockfile).to eq <<~L

bundler/spec/support/checksums.rb

@@ -3,6 +3,8 @@
 module Spec
   module Checksums
     class ChecksumsBuilder
+      attr_reader :bundler_registered
+
       def initialize(enabled = true, &block)
         @enabled = enabled
         @checksums = {}
@@ -14,9 +16,11 @@ def initialize_copy(original)
         @checksums = @checksums.dup
       end
 
-      def checksum(repo, name, version, platform = Gem::Platform::RUBY)
+      def checksum(repo, name, version, platform = Gem::Platform::RUBY, folder = "gems")
+        @bundler_registered = true if name == "bundler"
+
         name_tuple = Gem::NameTuple.new(name, version, platform)
-        gem_file = File.join(repo, "gems", "#{name_tuple.full_name}.gem")
+        gem_file = File.join(repo, folder, "#{name_tuple.full_name}.gem")
         File.open(gem_file, "rb") do |f|
           register(name_tuple, Bundler::Checksum.from_gem(f, "#{gem_file} (via ChecksumsBuilder#checksum)"))
         end
@@ -50,8 +54,13 @@ def register(name_tuple, checksum)
       end
     end
 
-    def checksums_section(enabled = true, &block)
-      ChecksumsBuilder.new(enabled, &block)
+    def checksums_section(enabled = true, bundler_checksum: true, &block)
+      ChecksumsBuilder.new(enabled, &block).tap do |builder|
+        next if builder.bundler_registered || !bundler_checksum
+
+        next if Bundler::VERSION.to_s.end_with?(".dev")
+        builder.checksum(system_gem_path, "bundler", Bundler::VERSION, Gem::Platform::RUBY, "cache")
+      end
     end
 
     def checksums_section_when_enabled(target_lockfile = nil, &block)
@@ -64,7 +73,7 @@ def checksums_section_when_enabled(target_lockfile = nil, &block)
     end
 
     def checksum_to_lock(*args)
-      checksums_section do |c|
+      checksums_section(true, bundler_checksum: false) do |c|
         c.checksum(*args)
       end.to_s.sub(/^CHECKSUMS\n/, "").strip
     end