Cannot match sha for packages built with `buildGoModule`

I am using the pkgs.buildGoModule for building a languager-server for sql:

    (buildGoModule rec {
      pname = "sqls";
      version = "0.2.18";
      src = fetchFromGitHub {
        owner = "lighttiger2505";
        repo = "sqls";
        rev = "v${version}";
        sha256 = "1879j77k96684wi554rkjxydrj8g3hpp0kvxz03sd8dmwr3lh83j";
      };
      vendorSha256 = "1879j77k96684wi554rkjxydrj8g3hpp0kvxz03sd8dmwr3lh83j";
    })

Despite I have set the sha to 1879j77k96684wi554rkjxydrj8g3hpp0kvxz03sd8dmwr3lh83j, I got the following error:

trying https://github.com/lighttiger2505/sqls/archive/v0.2.18.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   128  100   128    0     0    452      0 --:--:-- --:--:-- --:--:--   450
100 1172k    0 1172k    0     0  1538k      0 --:--:-- --:--:-- --:--:-- 1538k
unpacking source archive /private/tmp/nix-build-source.drv-0/v0.2.18.tar.gz
hash mismatch in fixed-output derivation '/nix/store/1dvkg8jdprh2hxxlvg4z3gcmh3dlhd47-source':
  wanted: sha256:1879j77k96684wi554rkjxydrj8g3hpp0kvxz03sd8dmwr3lh83j
  got:    sha256:13837v27avdp2nls3vyy7ml12nj7rxragchwf92adn10ffp4aj6c
cannot build derivation '/nix/store/w2raj5kw5aqsz0a1p23am7lvqw0ldi03-sqls-0.2.18.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/07asrx71233j77faax9wp6vrm2gdk44c-system-applications.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/mwz3010708c3x3w8nmgk57cz97rdbdpy-system-path.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/6y0sacryyadr4hxd779x7mwadwj1g1ws-darwin-system-21.11pre299952.7918dc5148d+darwin4.0000000.drv': 1 dependencies couldn't be built
error: build of '/nix/store/6y0sacryyadr4hxd779x7mwadwj1g1ws-darwin-system-21.11pre299952.7918dc5148d+darwin4.0000000.drv' failed

Where does that 13837v27avdp2nls3vyy7ml12nj7rxragchwf92adn10ffp4aj6c come from?

13837v27avdp2nls3vyy7ml12nj7rxragchwf92adn10ffp4aj6c is the Nix Hash of https://github.com/lighttiger2505/sqls/archive/v0.2.18.tar.gz. You can verify it more-or-less independently with nix-prefetch-url:

$ nix-prefetch-url --unpack https://github.com/lighttiger2505/sqls/archive/v0.2.18.tar.gz
unpacking...
[1.1 MiB DL]
path is '/nix/store/i8aswfm5jd93wxppahx6wkpma39dyzh1-v0.2.18.tar.gz'
13837v27avdp2nls3vyy7ml12nj7rxragchwf92adn10ffp4aj6c
$

You probably want to update the fetchFromGitHub sha256 to that value.

I never know that I can use nix-perfetch-url to check for the sha, thanks.

I am not sure if anyone will share this with me, but I think the error message there is quite misleading.

I guess ‘wanted’ and ‘got’ are a bit ambiguous, but they make sense to me: ‘wanted’ is the hash that is specified by a (presumably trusted) party, and ‘got’ is the hash derived from the (somewhat untrusted) internet. How would you word it more clearly?

Well, nix-prefetch-url works great for actual sources, but what about vendorSha256? As far as I know there’s no official way of handling that in an automated manner.

I’m not aware of any - I think the typical approach is ‘TOFU’ (Trust on first use), i.e. running the build with an empty vendorSha256, attempting the build and then copying the actual hash from the error message.

Right, and that’s what I do, but it’s not a usable workflow for developers. I’m trying to figure out if we can automate this.

I assume with “for developers” you mean in a development workflow where you make frequent changes to the sources and want a quick turn-around for running the tests and manually verifying the changes have the intended effect?

I think for that use case, it is common to not ‘build the package’ each time, but instead to create a ‘development shell’ where you can use your typical, incremental development tools. I haven’t done go development for a while though, so I’m not sure well-supported/integrated nix development shells for go are.