Nix Hash: Difference between revisions
imported>Colemickens No edit summary |
imported>Piegamesde Corrected SRI hash definition |
||
Line 20: | Line 20: | ||
You can specify the hash in '''any base''' that's supported. Thus, <code>sha256 = "21d536debb3076d4f6e9044bd9ef15c8c58b29f9cbd4ad406b058310a565debc";</code> is equally allowed. | You can specify the hash in '''any base''' that's supported. Thus, <code>sha256 = "21d536debb3076d4f6e9044bd9ef15c8c58b29f9cbd4ad406b058310a565debc";</code> is equally allowed. | ||
An alternative – and supposedly preferred – way of specifying hashes are so-called "SRI hashes". They're pretty simple, | An alternative – and supposedly preferred – way of specifying hashes are so-called "SRI hashes". They're pretty simple, as the hash contains the algorithm used and always is in base64: | ||
<syntaxHighlight lang=nix> | <syntaxHighlight lang=nix> | ||
src = fetchurl { | src = fetchurl { | ||
url = "https://example.org/downloads/source-code.zip"; | url = "https://example.org/downloads/source-code.zip"; | ||
hash = "sha256- | hash = "sha256-IdU23rswdtT26QRL2e8VyMWLKfnL1K1AawWDEKVl3rw="; | ||
}; | }; | ||
</syntaxHighlight> | </syntaxHighlight> | ||
If you find a hash that uses colon as a separator (<code><type>:<hash></code>), don't use that. This relies on undocumented behavior and is not officially supported. | |||
=== What exactly is hashed === | === What exactly is hashed === | ||
Line 39: | Line 41: | ||
=== Tools === | === Tools === | ||
The tool of choice for hashing is <code>nix-hash</code>, although it will be deprecated [https://github.com/NixOS/nix/issues/1191#issuecomment-273839319 one day]. The new alternatives are [[Nix_command/hash-file]] and [[Nix_command/hash-path]], which however are "EXPERIMENTAL and subject to change". <code>nix-hash</code> offers the <code>--to-base32</code> flag (which the new | The tool of choice for hashing is <code>nix-hash</code>, although it will be deprecated [https://github.com/NixOS/nix/issues/1191#issuecomment-273839319 one day]. The new alternatives are [[Nix_command/hash-file]] and [[Nix_command/hash-path]], which however are "EXPERIMENTAL and subject to change". <code>nix-hash</code> offers the <code>--to-base32</code> flag (for which [[Nix_command/to-sri]] is the new alternative) that takes in a hex hash and converts that hash to custom-base32. On the other hand, <code>nix-hash</code> does not support the new <code>sha512</code> algorithm or the base64 encoding. | ||
When dealing with remote files, <code>nix-prefetch-url</code> offers a handy shortcut for downloading the file into the Nix store and printing out its hash. (<code>nix-prefetch-url --unpack</code> is its <code>fetchzip</code> equivalent.) | When dealing with remote files, <code>nix-prefetch-url</code> offers a handy shortcut for downloading the file into the Nix store and printing out its hash. (<code>nix-prefetch-url --unpack</code> is its <code>fetchzip</code> equivalent.) |