Add sha256 checksum to rake build:checksum

[pboling]

… in addition to the existing SHA512

What was the end-user or developer problem that led to this PR?

• Until now Rubygems.org has publicly displayed SHA256 checksum for published gems, but has only created the SHA512 checksum for the package via rake build:checksum task
• This will allow more gem authors to easily verify integrity of published gems with an existing Rubygems.org feature
• See Security discrepancies between rake task and documentation #5942 for details on the problem

What is your fix for the problem, implemented in this PR?

Create a SHA256 checksum, in addition to the current SHA512 checksum.

Note that I've changed the Gem helper method from build_checksum to build_checksums. Certainly could keep it the same if that's a problem, but it felt good to be grammatically correct with it. Not sure if internal or external API.

Make sure the following tasks are checked

• Describe the problem / feature
• Tests - Have been updated
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

[welcome]

Thanks for opening a pull request and helping make RubyGems and Bundler better! Someone from the RubyGems team will take a look at your pull request shortly and leave any feedback. Please make sure that your pull request has tests for any changes or added functionality.

We use GitHub Actions to test and make sure your change works functionally and uses acceptable conventions, you can review the current progress of GitHub Actions in the PR status window below.

If you have any questions or concerns that you wish to ask, feel free to leave a comment in this PR or join our #rubygems or #bundler channel on Slack.

For more information about contributing to the RubyGems project feel free to review our CONTRIBUTING guide

[pboling]

I am working on a PR updating rubygems.org documentation to be concordant with rake build:checksum to address the other parts of #5942 .

[deivid-rodriguez]

Thanks for fixing this, @pboling! I just have one request regarding lazily loading digest/sha, so that it's only loaded when this task is used.

[deivid-rodriguez]

Just to small additional comments, but it's most ready from my side. Thanks so much for working on this!

[deivid-rodriguez]

Super minor but I'm thinking, do you think the CHECKSUMS constant buys us much, over

write_checksum(built_gem_path, "sha256", Digest::SHA256)
write_checksum(built_gem_path, "sha512", Digest::SHA512)

[pboling]

It doesn't get us much, agreed.

[deivid-rodriguez]

Why was this moved inside the write_checksums method? It should be enough to run it just once I think?

[pboling]

Good point. Oversight.

[pboling]

I've created a gem that does this same concept, except it supports back to Ruby 2.2. I expect it can be used as an alternative when people are stuck on older versions of Ruby, as I often find myself. It has 98% test coverage, so I will attempt to leverage that in this PR when I have time to move the work over here.

I tried pushing the gem to RubyGems.org, but the push was rejected.

❯ bundle exec rake release
["gem", "build", "-V", "/Users/pboling/src/rubygems/gem_checksums/gem_checksums.gemspec"]
gem_checksums 1.0.0 built to pkg/gem_checksums-1.0.0.gem.
["git", "diff", "--exit-code"]
["git", "diff-index", "--quiet", "--cached", "HEAD"]
["git", "tag"]
["git", "tag", "-m", "Version 1.0.0", "v1.0.0"]
Tagged v1.0.0.
["git", "rev-parse", "--abbrev-ref", "HEAD"]
["git", "config", "--get", "branch.main.remote"]
["git", "rev-parse", "--abbrev-ref", "HEAD"]
["git", "push", "origin", "refs/heads/main"]
["git", "push", "origin", "refs/tags/v1.0.0"]
Pushed git commits and release tag.
["gem", "push", "/Users/pboling/src/rubygems/gem_checksums/pkg/gem_checksums-1.0.0.gem"]
Pushing gem to https://rubygems.org...
You have enabled multi-factor authentication. Please enter OTP code.
Code:   261990
RubyGems.org cannot process this gem.
Please try rebuilding it and installing it locally to make sure it's valid.

Perhaps if I change the name to germ_checksums? It's odd because I already have another, very popular, gem called gem_bench, but maybe there is a rule in place guarding the gem_* prefix for new gem pushes?

Renaming the gem to stone_checksums worked!

I left the repo name as is for now: https://github.com/pboling/gem_checksums

[deivid-rodriguez]

That's interesting, the error message is definitely not great because you just built the gem successfully 🤔

[pboling]

@deivid-rodriguez Aha! I think it is a likeness collision. It would be great to have more clarity around how this warks and what can be done to successfully rename.

https://rubygems.org/gems/gem-checksum

Perhaps it would have worked if I'd set up pending trusted publishers? I've never set that up because I don't want to be roped in that hard to GitHub. Or would the trusted publisher setup have warned me that the name would be rejected?

Also, the last line of the error is entirely misleading. 🗡️

Please try rebuilding it and installing it locally to make sure it's valid.

That would not have helped in this case.