Non-matching SRI on `nix hash` and derivation

ereslibre · January 22, 2024, 6:07pm

Hello,

I am trying to bump fermyon-spin on nixpkgs to the newest release. It has a bunch of SRI’s for different systems. Let’s focus on https://github.com/fermyon/spin/releases/download/v2.1.0/spin-v2.1.0-linux-amd64.tar.gz for this issue.

When I want to bump some derivation that supports multiple systems and is based on binaries I usually run: nix hash to-sri sha256:$(nix-prefetch-url https://github.com/fermyon/spin/releases/download/v2.1.0/spin-v2.1.0-linux-amd64.tar.gz --type sha256).

❯ nix hash to-sri sha256:$(nix-prefetch-url https://github.com/fermyon/spin/releases/download/v2.1.0/spin-v2.1.0-linux-amd64.tar.gz --type sha256)
path is '/nix/store/jj73yj8z9ls911z72wcnv1v6jpy3cr24-spin-v2.1.0-linux-amd64.tar.gz'
sha256-A7YNKDKpAUUcC2MfNQFXEjY/NSqtH/coa9KsnlKQdFY=

If I try to set this SRI on the derivation, I get:

❯ nix-build -A fermyon-spin
these 2 derivations will be built:
  /nix/store/l4a765msn3ajc3fc420rkarwac04y5rl-source.drv
  /nix/store/klgssifyvfg6drkzcfrmxxy94z9agsl9-fermyon-spin-2.1.0.drv
building '/nix/store/l4a765msn3ajc3fc420rkarwac04y5rl-source.drv'...

trying https://github.com/fermyon/spin/releases/download/v2.1.0/spin-v2.1.0-linux-amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 29.8M  100 29.8M    0     0  38.2M      0 --:--:-- --:--:-- --:--:--  111M
unpacking source archive /build/spin-v2.1.0-linux-amd64.tar.gz
error: hash mismatch in fixed-output derivation '/nix/store/l4a765msn3ajc3fc420rkarwac04y5rl-source.drv':
         specified: sha256-A7YNKDKpAUUcC2MfNQFXEjY/NSqtH/coa9KsnlKQdFY=
            got:    sha256-i06Zp176zl7y8P32Hss64QkMc/+vXtkQy/tkOPSX3dc=
error: 1 dependencies of derivation '/nix/store/klgssifyvfg6drkzcfrmxxy94z9agsl9-fermyon-spin-2.1.0.drv' failed to build

My nix version is 2.18.1.

Do you know why this is happening? Thanks!

rjpc · January 22, 2024, 6:14pm

sorry to just be +1ing this post but I saw this with another package last week and was curious myself why nix hash was producing the wrong result Flake: updating src version of package to build does nothing - #2 by rjpc

raphi · January 22, 2024, 8:36pm

I assume you are using fetchzip to download the archive. fetchzip unpacks the archive before computing the hash over the contents.

To get the same behaviour with nix-prefetch-url, you have to add the --unpack flag:

$ nix hash to-sri sha256:$(nix-prefetch-url https://github.com/fermyon/spin/releases/download/v2.1.0/spin-v2.1.0-linux-amd64.tar.gz --type sha256 --unpack)
path is '/nix/store/1bdgxa7cibqbx45r1x9m2pdmfzwh7ibg-spin-v2.1.0-linux-amd64.tar.gz'
sha256-i06Zp176zl7y8P32Hss64QkMc/+vXtkQy/tkOPSX3dc=

rjpc · January 22, 2024, 11:59pm

oh jezz, forgetting that --unpack bit. duh. many thanks.