Hello community!
I’m trying to get the SRI hash of a local directory checked out with Git, to produce a custom lock file.
For the example, I have a directory with a checkout of exactly this repo and commit: GitHub - OCA/web at 5dc42ccd75641d6de4c0dd7a0b82ae781441d424
Since nix-hash
doesn’t have an --exclude
flag or similar (that sucks), I’m trying this:
➤ git checkout --force 5dc42ccd75641d6de4c0dd7a0b82ae781441d424
# Remove the .git folder because it pollutes the hash
➤ mv .git /tmp
# Produce a SRI
➤ nix-hash --type sha256 --sri .
sha256-gOWsuO+gBVN7ioxdaYgIuTL8cLNMr5uCDZE60UxAcYo=
Now I use nix-prefetch-url
to download the archive and check its SRI too:
➤ nix-prefetch-url --unpack --type sha256 --name source https://github.com/OCA/web/archive/5dc42ccd75641d6de4c0dd7a0b82ae781441d424.zip
path is '/nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source'
1qqggzl7rmqvq0jmxd3fmjkq37kp7xhrn52qk7sw6bsj4s7jdjmy
➤ nix-hash --type sha256 --sri /nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source
sha256-vsomjyZSL8P1mVgUm2E/d56Bp6xutF4lwBvXfOh/D+M=
As you can see, both hashes are different! However the folder contents are the same.
All I can notice is that the nix-store sources have a different timestamp. Is that the difference? Is there any way to get the SRI without having to remove .git
or change local files timestamps?
If there’s no way but to go the nix-prefetch-url
way… then is there a way to get the SRI but downloading it using the git protocol directly, instead of the github tarball?
I’m probably missing something obvious, but this is how far I’ve gotten.
Thanks!