Getting SRI hash from local checkout?

Hello community!

I’m trying to get the SRI hash of a local directory checked out with Git, to produce a custom lock file.

For the example, I have a directory with a checkout of exactly this repo and commit: GitHub - OCA/web at 5dc42ccd75641d6de4c0dd7a0b82ae781441d424

Since nix-hash doesn’t have an --exclude flag or similar (that sucks), I’m trying this:

➤ git checkout --force 5dc42ccd75641d6de4c0dd7a0b82ae781441d424

# Remove the .git folder because it pollutes the hash
➤ mv .git /tmp

# Produce a SRI
➤ nix-hash --type sha256 --sri .

Now I use nix-prefetch-url to download the archive and check its SRI too:

➤ nix-prefetch-url --unpack --type sha256 --name source
path is '/nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source'

➤ nix-hash --type sha256 --sri /nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source

As you can see, both hashes are different! However the folder contents are the same.

All I can notice is that the nix-store sources have a different timestamp. Is that the difference? Is there any way to get the SRI without having to remove .git or change local files timestamps?

If there’s no way but to go the nix-prefetch-url way… then is there a way to get the SRI but downloading it using the git protocol directly, instead of the github tarball?

I’m probably missing something obvious, but this is how far I’ve gotten.


I think the problem is that the name is included in the hash too. The path you’re getting from nix-prefetch-url is named source, and that’s included in the 1qqggzl7rmqvq0jmxd3fmjkq37kp7xhrn52qk7sw6bsj4s7jdjmy hash. Then, when you do nix-hash --type sha256 --sri /nix/store/1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source, the name is actually not source anymore, it’s 1iyi5p4r6r40gwfmwb3kh4ndnmj3n25d-source, which means that the SRI hash you get is not actually the SRI equivalent of the first hash. And when you do nix-hash, the name is just whatever the name of your directory is.