How do you securely use a Python package in a nix flake?

I’m very lazy.

I love Python, nix, and the many talented, hardworking people who freely share their work!
That leaves me cobbling together nix flakes to stand on these giant shoulders.

I’m trying to use this Python package in a flake: sql_metadata · PyPI. It is not in nixpkgs.

The wiki page has a section on how to do this here.

Yay!

I noticed buildPythonPackage expects you to specify a sha256 sum that looks something like:

sha256 = "sha256-0aozmQ4Eb5zL4rtNHSFjEynfObUkYlid1PgMDVmRkwY=";

If I go to PyPi, I see packages have sha256 sums listed but they look quite different.
For example, sql_metadata==2.10.0 has 69f9ef71ac69759ae339f0aab6a8a718cf548100d08b742d24bb1800b7a2ea20 for the sha256 hash.

Nay…

Hmm… let me remove the shasum. wait, not a Secure Idea.
nix agrees:

warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='

I agree with nix and yell “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”.

So how might I compute the sha256sum expected by nix?

Or, how do you consume packages in PyPi that are not in nixpkgs?

Another search landed me on the wiki Hash page: Nix Hash - NixOS Wiki

• nix hashing follows SRI specification and uses a unique base32 encoding scheme.

Practically speaking, you won’t find that value on PyPi.
So you need to use a tool to do it yourself.

I took these steps:

• downloaded the sql_metadata-2.10.0.tar.gz file from PyPi
• ran sha256sum sql_metadata-2.10.0.tar.gz
• manually verified that shasum appears on the PyPi registry page
• ran nix hash file sql_metadata-2.10.0.tar.gz

That printed out the value I was looking for: sha256-afnvcaxpdZrjOfCqtqinGM9UgQDQi3QtJLsYALei6iA=.

I should also note my worries are likely misplaced.
I’m verifying the integrity of the package, not its provenance or authority.

The easiest way and how it’s done most of the time (I guess) is just to use the hash that nix shows you when you don’t provide one or use lib.fakeSha256