Hello community!
I’m trying to get the SRI hash of a local directory checked out with Git, to produce a custom lock file.
For the example, I have a directory with a checkout of exactly this repo and commit: GitHub - OCA/web at 5dc42ccd75641d6de4c0dd7a0b82ae781441d424
Since nix-hash doesn’t have an --exclude flag or similar (that sucks), I’m trying this:
➤ git checkout --force 5dc42ccd75641d6de4c0dd7a0b82ae781441d424
# Remove the .git folder because it pollutes the hash
➤ mv .git /tmp
# Produce a SRI
➤ nix-hash --type sha256 --sri .
sha256-gOWsuO+gBVN7ioxdaYgIuTL8cLNMr5uCDZE60UxAcYo=
Now I use nix-prefetch-url to download the archive and check its SRI too:
➤ nix-prefetch-url --unpack --type sha256 --name source https://github.com/OCA/web/archive/5dc42ccd75641d6de4c0dd7a0b82ae781441d424.zip
path is '/nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source'
1qqggzl7rmqvq0jmxd3fmjkq37kp7xhrn52qk7sw6bsj4s7jdjmy
➤ nix-hash --type sha256 --sri /nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source
sha256-vsomjyZSL8P1mVgUm2E/d56Bp6xutF4lwBvXfOh/D+M=
As you can see, both hashes are different! However the folder contents are the same.
All I can notice is that the nix-store sources have a different timestamp. Is that the difference? Is there any way to get the SRI without having to remove .git or change local files timestamps?
If there’s no way but to go the nix-prefetch-url way… then is there a way to get the SRI but downloading it using the git protocol directly, instead of the github tarball?
I’m probably missing something obvious, but this is how far I’ve gotten.
Thanks!