cideM
September 1, 2021, 4:06pm
1
I want to know the correct sha256 of a URL in advance without having to first set it to an invalid value in the derivation.
$ nix-shell -p nix-prefetch --run 'nix-prefetch builtins.fetchurl --url https://update.code.visualstudio.com/latest/darwin-arm64/insider'
warning: unknown setting 'experimental-features'
warning: unknown setting 'experimental-features'
The fetcher will be called as follows:
> builtins.fetchurl {
> sha256 = "sha256:0000000000000000000000000000000000000000000000000000";
> url = "https://update.code.visualstudio.com/latest/darwin-arm64/insider";
> }
12ms4wi3hrcqxpbzpa09ybbbmq5z179pb3maymn8vf3mq0dsvgdy
But if I then set it to an invalid hash in my Home Manager configuration and build that, the sha256 I get for
src = builtins.fetchurl {
name = "VSCode_${version}_${plat}.${archive_fmt}";
url = "https://update.code.visualstudio.com/latest/darwin-arm64/insider";
sha256 = sha;
};
is
$ home-manager build --flake .#work-m1
warning: Git tree '/Users/fbs/dotfiles' is dirty
error: hash mismatch in file downloaded from 'https://update.code.visualstudio.com/latest/darwin-arm64/insider':
specified: sha256:12ms4wi3hrcqxpbzpa09ybbbmq5z179pb3maymn8vf3mq0dsvgdy
got: sha256:0nh4mfxsw4nhfnznjv5grjfzinvxa0sr86xzl6rnsxyhnpq1pn89
(use '--show-trace' to show detailed location information)
Does anyone know why there’s a difference between the two and how I can get sha256:0nh4mfxsw4nhfnznjv5grjfzinvxa0sr86xzl6rnsxyhnpq1pn89 from the CLI without any hacks?
2 Likes
The latest in the URL lead me to believe that the fetched content changes over time; i.e. that two separate fetch risk pulling different content, and thus having a different shasum.
Unsure if you were just unlucky (the content changed right in the middle of your testing), or if something else is at play though…
cideM
September 2, 2021, 7:38am
3
I ran these commands repeatedly and tried it again just now but the results are the same.
$ nix --version
nix (Nix) 2.4pre20210802_47e96bb
$ nix-shell -p nix-prefetch --run 'nix --version'
nix (Nix) 2.4pre20210802_47e96bb
$ nix-shell -p nix-prefetch --run 'nix-prefetch builtins.fetchurl --url https://update.code.visualstudio.com/latest/darwin-arm64/insider'
warning: unknown setting 'experimental-features'
warning: unknown setting 'experimental-features'
The fetcher will be called as follows:
> builtins.fetchurl {
> sha256 = "sha256:0000000000000000000000000000000000000000000000000000";
> url = "https://update.code.visualstudio.com/latest/darwin-arm64/insider";
> }
12ms4wi3hrcqxpbzpa09ybbbmq5z179pb3maymn8vf3mq0dsvgdy
$ home-manager build --flake .#work-m1
warning: Git tree '/Users/fbs/dotfiles' is dirty
error: hash mismatch in file downloaded from 'https://update.code.visualstudio.com/latest/darwin-arm64/insider':
specified: sha256:12ms4wi3hrcqxpbzpa09ybbbmq5z179pb3maymn8vf3mq0dsvgdy
got: sha256:0nh4mfxsw4nhfnznjv5grjfzinvxa0sr86xzl6rnsxyhnpq1pn89
(use '--show-trace' to show detailed location information)
r-burns
September 2, 2021, 8:48am
4
You need to use the real url for the download, the “latest” url is a redirect.
$ nix-hash --type sha256 --base32 --flat <(curl -o - https://update.code.visualstudio.com/latest/darwin-arm64/insider)
0n5mxh0xyilf97sc3g4ghvp8bdcalj6xj6y6mayvqx5qs01y12av
gives the same hash as your fetchurl, but if you look at the actual content of the curl, it’s just:
Found. Redirecting to https://az764295.vo.msecnd.net/insider/e7d7e9a9348e6a8cc8c03f877d39cb72e5dfb1ff/VSCode-darwin-arm64.zip
Using that url gives the hash you expected:
$ nix-hash --type sha256 --base32 --flat <(curl -o - https://az764295.vo.msecnd.net/insider/e7d7e9a9348e6a8cc8c03f877d39cb72e5dfb1ff/VSCode-darwin-arm64.zip)
12ms4wi3hrcqxpbzpa09ybbbmq5z179pb3maymn8vf3mq0dsvgdy
3 Likes
cideM
September 2, 2021, 8:56am
5
I see, thank you so much for the help! I guess I should have looked at the output instead of just dumping it to /dev/null assuming it’s the archive.