Using upstream hashes

nim65s · August 18, 2024, 9:17am

Hi,

I have a JSON with a list of urls and their associated sha256. The manual says these hash could be used:

Upstream hash: use it when upstream provides sha256 or sha512

But the manual also says that I can’t use those, are those are not the fixed output derivation ones:

This hash refers to the derivation output, which can be different from the remote source itself!

For example, I have this:

{
  "sha256": "9d68472d4cba5cf8c2b79d94f86f92c828e76a632bd1e6be5e7706e5b304d36e",
  "url": "https://github.com/espressif/binutils-gdb/releases/download/esp-gdb-v14.2_20240403/xtensa-esp-elf-gdb-14.2_20240403-x86_64-linux-gnu.tar.gz"
}

Which seems good:

$ sha256sum xtensa-esp-elf-gdb-14.2_20240403-x86_64-linux-gnu.tar.gz 
9d68472d4cba5cf8c2b79d94f86f92c828e76a632bd1e6be5e7706e5b304d36e  xtensa-esp-elf-gdb-14.2_20240403-x86_64-linux-gnu.tar.gz

And give the following SRI:

$ nix hash to-sri sha256:9d68472d4cba5cf8c2b79d94f86f92c828e76a632bd1e6be5e7706e5b304d36e
sha256-nWhHLUy6XPjCt52U+G+SyCjnamMr0ea+XncG5bME024=

But this the hash of the source, not the fixed-output derivation:

error: hash mismatch in fixed-output derivation '/nix/store/fv1c5vswfs8f1rkra0vidwqdrkay4bfp-source.drv':
         specified: sha256-nWhHLUy6XPjCt52U+G+SyCjnamMr0ea+XncG5bME024=
            got:    sha256-H+s6OuQ8lVAk+F0mbMo0dtEQZa6Q3Rv5zDkpUX/PAkk=

So is it possible to use upstream hash at all ? How ?

edwinistrator · August 18, 2024, 10:04am

Hi,
could you please show which fetcher you’re using in your nix expression? If the fetcher also unpacks the tarball (like pkgs.fetchzip does), the required hash will be that of the tarball’s extracted content, while the upstream hash is for the tarball itself.

So if you want to use the upstream hashes, you need to to use something like pkgs.fetchurl.

nim65s · August 18, 2024, 8:42pm

You’re right, thanks !
I was using fetchzip, but simply switching to fetchurl fix my issue.