This is a gem that runs Bundler checksum integrity checks against RubyGems API.
It allows to detect packages that were tampered with or replaced via cache poison or replaced.
It uses correct SHA checksums from the RubyGems API, so if anything happened "in between" it should be detected.
No warranties whatsoever.
For local you can add
bundler-integrity to your gemfile (recommended):
bundle add bundler-integrity bundle install # And run this to verify integrity of your local installation bundle exec bundler-integrity
You can also export the expected checksums with the gems package names, so you can compare that on multiple servers without having to install this package everywhere.
To do so, install
bundler-integrity on one of the machines as stated above and run:
bundle exec bundler-integrity export
to get list of all the expected checksums for all the packages.
Maciej Mensfeld and WhiteSource :)