Non-matching SRI on `nix hash` and derivation


I am trying to bump fermyon-spin on nixpkgs to the newest release. It has a bunch of SRI’s for different systems. Let’s focus on for this issue.

When I want to bump some derivation that supports multiple systems and is based on binaries I usually run: nix hash to-sri sha256:$(nix-prefetch-url --type sha256).

❯ nix hash to-sri sha256:$(nix-prefetch-url --type sha256)
path is '/nix/store/jj73yj8z9ls911z72wcnv1v6jpy3cr24-spin-v2.1.0-linux-amd64.tar.gz'

If I try to set this SRI on the derivation, I get:

❯ nix-build -A fermyon-spin
these 2 derivations will be built:
building '/nix/store/l4a765msn3ajc3fc420rkarwac04y5rl-source.drv'...

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 29.8M  100 29.8M    0     0  38.2M      0 --:--:-- --:--:-- --:--:--  111M
unpacking source archive /build/spin-v2.1.0-linux-amd64.tar.gz
error: hash mismatch in fixed-output derivation '/nix/store/l4a765msn3ajc3fc420rkarwac04y5rl-source.drv':
         specified: sha256-A7YNKDKpAUUcC2MfNQFXEjY/NSqtH/coa9KsnlKQdFY=
            got:    sha256-i06Zp176zl7y8P32Hss64QkMc/+vXtkQy/tkOPSX3dc=
error: 1 dependencies of derivation '/nix/store/klgssifyvfg6drkzcfrmxxy94z9agsl9-fermyon-spin-2.1.0.drv' failed to build

My nix version is 2.18.1.

Do you know why this is happening? Thanks!

sorry to just be +1ing this post but I saw this with another package last week and was curious myself why nix hash was producing the wrong result Flake: updating src version of package to build does nothing - #2 by rjpc

I assume you are using fetchzip to download the archive. fetchzip unpacks the archive before computing the hash over the contents.

To get the same behaviour with nix-prefetch-url, you have to add the --unpack flag:

$ nix hash to-sri sha256:$(nix-prefetch-url --type sha256 --unpack)
path is '/nix/store/1bdgxa7cibqbx45r1x9m2pdmfzwh7ibg-spin-v2.1.0-linux-amd64.tar.gz'

oh jezz, forgetting that --unpack bit. duh. many thanks.