Nix Hash: Difference between revisions
→Updating Packages: Sentence case, demote to <h3>
Artoria2e5 (talk | contribs) (I don't believe we need a "hashes in nix" heading here. Again, sections are folded by default on mobile, so the "0th section" better has some content.) |
Artoria2e5 (talk | contribs) (→Updating Packages: Sentence case, demote to <h3>) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
The format of the hash follows the [https://www.w3.org/TR/SRI/#introduction SRI (Subresource Integrity)] specification. | The format of the hash follows the [https://www.w3.org/TR/SRI/#introduction SRI (Subresource Integrity)] specification. | ||
== Updating | === Updating packages === | ||
[https://nixos.org/manual/nixpkgs/stable/#chap-pkgs-fetchers-caveats Using TOFU to get the new hash] | [https://nixos.org/manual/nixpkgs/stable/#chap-pkgs-fetchers-caveats Using TOFU to get the new hash] | ||
| Line 25: | Line 25: | ||
== What exactly is hashed == | == What exactly is hashed == | ||
Some content can either be hashed "flat" or "recursively". "flat" (sometimes also called "file") is simply taking the hash of the file, byte by byte, and will give you the same result as for example `sha256sum -b myfile.zip`. "recursive" (or sometimes "path") hashing takes multiple files, path names and metadata (attributes) into consideration. It works by | Some content can either be hashed "flat" or "recursively". "flat" (sometimes also called "file") is simply taking the hash of the file, byte by byte, and will give you the same result as for example `sha256sum -b myfile.zip`. "recursive" (or sometimes "path") hashing takes multiple files, path names and metadata (attributes) into consideration. It works by <abbr title="nix archive (file format)">NAR</abbr>ing the input before hashing. | ||
For <code>fetchurl</code>, the option to switch between both is called <code>recursiveHash</code> and defaults to <code>false</code>. | For <code>fetchurl</code>, the option to switch between both is called <code>recursiveHash</code> and defaults to <code>false</code>. | ||
<code>fetchzip</code> on the other hand will download the file, unzip it and then recursively hash the output. There's no option. | <code>fetchzip</code> on the other hand will download the file, unzip it and then recursively hash the output. There's no option. The motivation behind this is that sometimes, the content is always the same, but the archive may change. This is because zip files are inherently non-deterministic, and might be generated automatically. If they are regenerated, they'll have a different hash, although the content is the same. <code>recursiveHash</code> works around that. | ||
The motivation behind this is that sometimes, the content is always the same, but the archive may change. This is because zip files are inherently non-deterministic, and might be generated automatically. If they are regenerated, they'll have a different hash, although the content is the same. <code>recursiveHash</code> works around that. | |||
== Tools == | == Tools == | ||
[https://nixos.org/manual/nix/stable/command-ref/nix-hash.html nix-hash] | * [https://nixos.org/manual/nix/stable/command-ref/nix-hash.html nix-hash] | ||
* [https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-hash nix hash] ([[nix command]]) | |||
[https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-hash nix hash] | |||
When dealing with remote files, <code>nix-prefetch-url</code> offers a handy shortcut for downloading the file into the Nix store and printing out its hash. (<code>nix-prefetch-url --unpack</code> is its <code>fetchzip</code> equivalent.) | When dealing with remote files, <code>nix-prefetch-url</code> offers a handy shortcut for downloading the file into the Nix store and printing out its hash. (<code>nix-prefetch-url --unpack</code> is its <code>fetchzip</code> equivalent.) | ||