Use SRI hash (strings) as the official JSON format for Hash after all

The fact that we were introducing a conversion from the output of `nix path-info` into the input of `builtins.fetchTree` was the deciding factor. We want scripting outputs into inputs like that to be easy. Since JSON strings and objects are trivially distinguishable, we still have the option of introducing the JSON format as an alternative input scheme in the future, should we want to. (The output format would still be SRI in that case, presumably.)
2025-12-10 11:01:03 +01:00 · 2025-12-08 15:34:15 -05:00 · 2025-12-08 15:34:15 -05:00 · 61de9222b0
commit 61de9222b0
parent 401e08f839
44 changed files with 78 additions and 348 deletions
--- a/doc/manual/rl-next/json-format-changes.md
+++ b/doc/manual/rl-next/json-format-changes.md
@ -49,17 +49,10 @@ The new structured format follows the [JSON guidelines](@docroot@/development/js
  Content address is now a structured JSON object instead of a string:

  - Old: `"ca": "fixed:r:sha256:1abc..."`
-  - New: `"ca": {"method": "nar", "hash": {"algorithm": "sha256", "format": "base16", "hash": "10c209fa..."}}`
+  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
  - Still `null` values for input-addressed store objects

- **Structured hash fields**:
-
-  Hash values (`narHash` and `downloadHash`) are now structured JSON objects instead of strings:
-
-  - Old: `"narHash": "sha256:FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc="`
-  - New: `"narHash": {"algorithm": "sha256", "format": "base16", "hash": "15e3c5608946..."}`
-  - Same structure applies to `downloadHash` in NAR info contexts
-  - The `format` field is always `"base16"` (hexadecimal)
+  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.

 Nix currently only produces, and doesn't consume this format.

--- a/doc/manual/source/protocols/json/hash.md
+++ b/doc/manual/source/protocols/json/hash.md
@ -5,13 +5,13 @@
 ### SHA-256

 ```json
-{{#include schema/hash-v1/sha256-base16.json}}
+{{#include schema/hash-v1/sha256.json}}
 ```

 ### BLAKE3

 ```json
-{{#include schema/hash-v1/blake3-base16.json}}
+{{#include schema/hash-v1/blake3.json}}
 ```

 <!-- need to convert YAML to JSON first
--- a/doc/manual/source/protocols/json/schema/hash-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/hash-v1.yaml
@ -4,36 +4,13 @@ title: Hash
 description: |
  A cryptographic hash value used throughout Nix for content addressing and integrity verification.

-  This schema describes the JSON representation of Nix's `Hash` type.
-type: object
-properties:
-  algorithm:
-    "$ref": "#/$defs/algorithm"
-  format:
-    type: string
-    enum:
-    - base16
-    title: Hash format
-    description: |
-      The encoding format of the hash value.
+  This schema describes the JSON representation of Nix's `Hash` type as an [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) string.
+type: string
+pattern: "^(blake3|md5|sha1|sha256|sha512)-[A-Za-z0-9+/]+=*$"
+examples:
+- "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="
+- "sha512-IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ=="

-      `base16` (lowercase hexadecimal) is the only format that is currently supported for JSON serialization.
-      This field exists primarily to reduce ambiguity about what the hash means.
-      It would also help us support other formats in the future, but there are no concrete plans to do so at this.
-  hash:
-    type: string
-    title: Hash
-    description: |
-      The encoded hash value, itself.
-
-      It is specified in the format specified by the `format` field.
-      It must be the right length for the hash algorithm specified in the `algorithm` field, also.
-      The hash value does not include any algorithm prefix.
-required:
- algorithm
- format
- hash
-additionalProperties: false
 "$defs":
  algorithm:
    type: string
--- a/src/json-schema-checks/meson.build
+++ b/src/json-schema-checks/meson.build
@ -32,8 +32,8 @@ schemas = [
    'stem' : 'hash',
    'schema' : schema_dir / 'hash-v1.yaml',
    'files' : [
-      'sha256-base16.json',
-      'blake3-base16.json',
+      'sha256.json',
+      'blake3.json',
    ],
  },
  {
--- a/src/libstore-tests/data/common-protocol/content-address.json
+++ b/src/libstore-tests/data/common-protocol/content-address.json
@ -1,26 +1,14 @@
 [
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
-    },
+    "hash": "sha256-+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0=",
    "method": "text"
  },
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  },
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  }
 ]
--- a/src/libstore-tests/data/common-protocol/optional-content-address.json
+++ b/src/libstore-tests/data/common-protocol/optional-content-address.json
@ -1,11 +1,7 @@
 [
  null,
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  }
 ]
--- a/src/libstore-tests/data/content-address/nar.json
+++ b/src/libstore-tests/data/content-address/nar.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "f6f2ea8f45d8a057c9566a33f99474da2e5c6a6604d736121650e2730c6fb0a3"
-  },
+  "hash": "sha256-9vLqj0XYoFfJVmoz+ZR02i5camYE1zYSFlDicwxvsKM=",
  "method": "nar"
 }
--- a/src/libstore-tests/data/content-address/text.json
+++ b/src/libstore-tests/data/content-address/text.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
-  },
+  "hash": "sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts=",
  "method": "text"
 }
--- a/src/libstore-tests/data/derivation/output-caFixedFlat.json
+++ b/src/libstore-tests/data/derivation/output-caFixedFlat.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
-  },
+  "hash": "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8=",
  "method": "flat"
 }
--- a/src/libstore-tests/data/derivation/output-caFixedNAR.json
+++ b/src/libstore-tests/data/derivation/output-caFixedNAR.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
-  },
+  "hash": "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8=",
  "method": "nar"
 }
--- a/src/libstore-tests/data/derivation/output-caFixedText.json
+++ b/src/libstore-tests/data/derivation/output-caFixedText.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
-  },
+  "hash": "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8=",
  "method": "text"
 }
--- a/src/libstore-tests/data/dummy-store/one-flat-file.json
+++ b/src/libstore-tests/data/dummy-store/one-flat-file.json
@ -12,19 +12,11 @@
      },
      "info": {
        "ca": {
-          "hash": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "7f579dbae488602d41a1f5c0d6dc9c17bf408b635230942d504af1e43c4b6125"
-          },
+          "hash": "sha256-f1eduuSIYC1BofXA1tycF79Ai2NSMJQtUErx5DxLYSU=",
          "method": "nar"
        },
        "deriver": null,
-        "narHash": {
-          "algorithm": "sha256",
-          "format": "base16",
-          "hash": "7f579dbae488602d41a1f5c0d6dc9c17bf408b635230942d504af1e43c4b6125"
-        },
+        "narHash": "sha256-f1eduuSIYC1BofXA1tycF79Ai2NSMJQtUErx5DxLYSU=",
        "narSize": 120,
        "references": [],
        "registrationTime": null,
--- a/src/libstore-tests/data/nar-info/json-2/impure.json
+++ b/src/libstore-tests/data/nar-info/json-2/impure.json
@ -1,25 +1,13 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
  "compression": "xz",
  "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-  "downloadHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "downloadHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "downloadSize": 4029176,
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/nar-info/json-2/pure.json
+++ b/src/libstore-tests/data/nar-info/json-2/pure.json
@ -1,17 +1,9 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/path-info/json-2/empty_impure.json
+++ b/src/libstore-tests/data/path-info/json-2/empty_impure.json
@ -1,11 +1,7 @@
 {
  "ca": null,
  "deriver": null,
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 0,
  "references": [],
  "registrationTime": null,
--- a/src/libstore-tests/data/path-info/json-2/empty_pure.json
+++ b/src/libstore-tests/data/path-info/json-2/empty_pure.json
@ -1,10 +1,6 @@
 {
  "ca": null,
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 0,
  "references": [],
  "storeDir": "/nix/store",
--- a/src/libstore-tests/data/path-info/json-2/impure.json
+++ b/src/libstore-tests/data/path-info/json-2/impure.json
@ -1,18 +1,10 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
  "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/path-info/json-2/pure.json
+++ b/src/libstore-tests/data/path-info/json-2/pure.json
@ -1,17 +1,9 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/serve-protocol/content-address.json
+++ b/src/libstore-tests/data/serve-protocol/content-address.json
@ -1,26 +1,14 @@
 [
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
-    },
+    "hash": "sha256-+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0=",
    "method": "text"
  },
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  },
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  }
 ]
--- a/src/libstore-tests/data/serve-protocol/optional-content-address.json
+++ b/src/libstore-tests/data/serve-protocol/optional-content-address.json
@ -1,11 +1,7 @@
 [
  null,
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  }
 ]
--- a/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.3.json
+++ b/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.3.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "0000000000000000000000000000000000000000000000000000000000000000"
-    },
+    "narHash": "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "narSize": 34878,
    "references": [],
    "registrationTime": null,
@ -18,11 +14,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "0000000000000000000000000000000000000000000000000000000000000000"
-    },
+    "narHash": "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "narSize": 34878,
    "references": [
      "g1w7hyyyy1w7hy3qg1w7hy3qgqqqqy3q-foo.drv"
--- a/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.4.json
+++ b/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.4.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [
      "g1w7hyyyy1w7hy3qg1w7hy3qgqqqqy3q-foo.drv"
@ -19,19 +15,11 @@
  },
  {
    "ca": {
-      "hash": {
-        "algorithm": "sha256",
-        "format": "base16",
-        "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-      },
+      "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
      "method": "nar"
    },
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [
      "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/worker-protocol/content-address.json
+++ b/src/libstore-tests/data/worker-protocol/content-address.json
@ -1,26 +1,14 @@
 [
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
-    },
+    "hash": "sha256-+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0=",
    "method": "text"
  },
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  },
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  }
 ]
--- a/src/libstore-tests/data/worker-protocol/optional-content-address.json
+++ b/src/libstore-tests/data/worker-protocol/optional-content-address.json
@ -1,11 +1,7 @@
 [
  null,
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  }
 ]
--- a/src/libstore-tests/data/worker-protocol/unkeyed-valid-path-info-1.15.json
+++ b/src/libstore-tests/data/worker-protocol/unkeyed-valid-path-info-1.15.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [],
    "registrationTime": 23423,
@ -18,11 +14,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [
      "g1w7hyyyy1w7hy3qg1w7hy3qgqqqqy3q-foo.drv"
--- a/src/libstore-tests/data/worker-protocol/valid-path-info-1.15.json
+++ b/src/libstore-tests/data/worker-protocol/valid-path-info-1.15.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [],
@ -19,11 +15,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [
--- a/src/libstore-tests/data/worker-protocol/valid-path-info-1.16.json
+++ b/src/libstore-tests/data/worker-protocol/valid-path-info-1.16.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [],
@ -19,11 +15,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [
@ -41,19 +33,11 @@
  },
  {
    "ca": {
-      "hash": {
-        "algorithm": "sha256",
-        "format": "base16",
-        "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-      },
+      "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
      "method": "nar"
    },
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "n5wkd9frr45pa74if5gpz9j7mifg27fh-foo",
    "references": [
--- a/src/libutil-tests/data/hash/blake3-base16.json
+++ b/src/libutil-tests/data/hash/blake3-base16.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "blake3",
-  "format": "base16",
-  "hash": "9e70ee1449965fb62d049040a1ed06ec377430da6ec13173e7c4fffcd28be980"
-}
--- a/src/libutil-tests/data/hash/blake3.json
+++ b/src/libutil-tests/data/hash/blake3.json
@ -0,0 +1 @@
+"blake3-nnDuFEmWX7YtBJBAoe0G7Dd0MNpuwTFz58T//NKL6YA="
--- a/src/libutil-tests/data/hash/sha256-base16.json
+++ b/src/libutil-tests/data/hash/sha256-base16.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "sha256",
-  "format": "base16",
-  "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
-}
--- a/src/libutil-tests/data/hash/sha256-base64.json
+++ b/src/libutil-tests/data/hash/sha256-base64.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "sha256",
-  "format": "base64",
-  "hash": "8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
-}
--- a/src/libutil-tests/data/hash/sha256-nix32.json
+++ b/src/libutil-tests/data/hash/sha256-nix32.json
@ -1,5 +0,0 @@
-{
-    "algorithm": "sha256",
-    "format": "nix32",
-    "hash": "0fz12qc1nillhvhw6bvs4ka18789x8dqaipjb316x4aqdkvw5r7h"
-}
--- a/src/libutil-tests/data/hash/sha256.json
+++ b/src/libutil-tests/data/hash/sha256.json
@ -0,0 +1 @@
+"sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
--- a/src/libutil-tests/data/hash/sha512.json
+++ b/src/libutil-tests/data/hash/sha512.json
@ -0,0 +1 @@
+"sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
--- a/src/libutil-tests/data/hash/simple.json
+++ b/src/libutil-tests/data/hash/simple.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "sha256",
-  "format": "base16",
-  "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
-}
--- a/src/libutil-tests/hash.cc
+++ b/src/libutil-tests/hash.cc
@ -215,9 +215,6 @@ struct HashJsonTest : virtual HashTest,
                      ::testing::WithParamInterface<std::pair<std::string_view, Hash>>
 {};

-struct HashJsonParseFailureTest : virtual HashTest, ::testing::WithParamInterface<std::string_view>
-{};
-
 struct BLAKE3HashJsonTest : virtual HashTest,
                            BLAKE3HashTest,
                            JsonCharacterizationTest<Hash>,
@ -236,14 +233,6 @@ TEST_P(HashJsonTest, to_json)
    writeJsonTest(name, value);
 }

-TEST_P(HashJsonParseFailureTest, from_json)
-{
-    auto & name = GetParam();
-    auto path = goldenMaster(Path{name} + ".json");
-    auto encoded = json::parse(readFile(path));
-    ASSERT_THROW(nlohmann::adl_serializer<Hash>::from_json(encoded), Error);
-}
-
 TEST_P(BLAKE3HashJsonTest, from_json)
 {
    auto & [name, expected] = GetParam();
@ -256,32 +245,25 @@ TEST_P(BLAKE3HashJsonTest, to_json)
    writeJsonTest(name, expected);
 }

-// Round-trip tests (from_json + to_json) for base16 format only
-// (to_json always outputs base16)
 INSTANTIATE_TEST_SUITE_P(
    HashJSON,
    HashJsonTest,
    ::testing::Values(
        std::pair{
-            "simple",
+            "sha256",
            hashString(HashAlgorithm::SHA256, "asdf"),
        },
        std::pair{
-            "sha256-base16",
+            "sha512",
            hashString(HashAlgorithm::SHA256, "asdf"),
        }));

-// Failure tests for unsupported formats (base64, nix32, sri)
-// These verify that non-base16 formats are rejected
-INSTANTIATE_TEST_SUITE_P(
-    HashJSONParseFailure, HashJsonParseFailureTest, ::testing::Values("sha256-base64", "sha256-nix32"));
-
 INSTANTIATE_TEST_SUITE_P(BLAKE3HashJSON, BLAKE3HashJsonTest, ([] {
                             ExperimentalFeatureSettings mockXpSettings;
                             mockXpSettings.set("experimental-features", "blake3-hashes");
                             return ::testing::Values(
                                 std::pair{
-                                     "blake3-base16",
+                                     "blake3",
                                     hashString(HashAlgorithm::BLAKE3, "asdf", mockXpSettings),
                                 });
                         }()));
--- a/src/libutil/hash.cc
+++ b/src/libutil/hash.cc
@ -519,27 +519,13 @@ using namespace nix;

 Hash adl_serializer<Hash>::from_json(const json & json, const ExperimentalFeatureSettings & xpSettings)
 {
-    auto & obj = getObject(json);
-    auto algo = parseHashAlgo(getString(valueAt(obj, "algorithm")), xpSettings);
-    auto formatStr = getString(valueAt(obj, "format"));
-    auto format = parseHashFormat(formatStr);
-
-    // Only base16 format is supported for JSON serialization
-    if (format != HashFormat::Base16) {
-        throw Error("hash format '%s' is not supported in JSON; only 'base16' is currently supported", formatStr);
-    }
-
-    auto & hashS = getString(valueAt(obj, "hash"));
-    return Hash::parseExplicitFormatUnprefixed(hashS, algo, format, xpSettings);
+    auto & s = getString(json);
+    return Hash::parseSRI(s, xpSettings);
 }

 void adl_serializer<Hash>::to_json(json & json, const Hash & hash)
 {
-    json = {
-        {"format", printHashFormat(HashFormat::Base16)},
-        {"algorithm", printHashAlgo(hash.algo)},
-        {"hash", hash.to_string(HashFormat::Base16, false)},
-    };
+    json = hash.to_string(HashFormat::SRI, true);
 }

 } // namespace nlohmann
--- a/tests/functional/fixed.sh
+++ b/tests/functional/fixed.sh
@ -17,11 +17,7 @@ nix-build fixed.nix -A bad --no-out-link && fail "should fail"
 nix path-info --json --json-format 2 "$path" | jq -e \
    '.info.[].ca == {
        method: "flat",
-        hash: {
-            algorithm: "md5",
-            format: "base16",
-            hash: "8ddd8be4b179a529afa5f2ffae4b9858"
-        },
+        hash: "md5-jd2L5LF5pSmvpfL/rkuYWA=="
    }'

 echo 'testing good...'
--- a/tests/functional/git-hashing/simple-common.sh
+++ b/tests/functional/git-hashing/simple-common.sh
@ -47,16 +47,15 @@ try2 () {
    hashFromGit=$(git -C "$repo" rev-parse "HEAD:$hashPath")
    [[ "$hashFromGit" == "$expected" ]]

+    # Convert base16 hash to SRI format for comparison
+    local hashSRI
+    hashSRI=$(nix hash convert --from base16 --to sri --hash-algo "$hashAlgo" "$hashFromGit")
+
    nix path-info --json --json-format 2 "$path" | jq -e \
-        --arg algo "$hashAlgo" \
-        --arg hash "$hashFromGit" \
+        --arg hashSRI "$hashSRI" \
        '.info.[].ca == {
            method: "git",
-            hash: {
-                algorithm: $algo,
-                format: "base16",
-                hash: $hash
-            },
+            hash: $hashSRI
        }'
 }

--- a/tests/functional/impure-derivations.sh
+++ b/tests/functional/impure-derivations.sh
@ -30,7 +30,7 @@ path1_stuff=$(echo "$json" | jq -r .[].outputs.stuff)
 [[ $(< "$path1"/n) = 0 ]]
 [[ $(< "$path1_stuff"/bla) = 0 ]]

-nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 path2=$(nix build -L --no-link --json --file ./impure-derivations.nix impure | jq -r .[].outputs.out)
 [[ $(< "$path2"/n) = 1 ]]
--- a/tests/functional/nix-profile.sh
+++ b/tests/functional/nix-profile.sh
@ -166,7 +166,7 @@ printf 4.0 > "$flake1Dir"/version
 printf Utrecht > "$flake1Dir"/who
 nix profile add "$flake1Dir"
 [[ $("$TEST_HOME"/.nix-profile/bin/hello) = "Hello Utrecht" ]]
-nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 # Override the outputs.
 nix profile remove simple flake1
--- a/tests/functional/path-info.sh
+++ b/tests/functional/path-info.sh
@ -20,16 +20,8 @@ diff --unified --color=always \
        jq --sort-keys '.info | map_values(.narHash)') \
    <(jq --sort-keys <<-EOF
        {
-          "$fooBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "42fb4031b525feebe2f8b08e6e6a8e86f34e6a91dd036ada888e311b9cc8e690"
-          },
-          "$barBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "f5f8581aef5fab17100b629cf35aa1d91328d5070b054068f14fa93e7fa3b614"
-          },
+          "$fooBase": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$barBase": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
          "$bazBase": null
        }
 EOF
--- a/tests/functional/signing.sh
+++ b/tests/functional/signing.sh
@ -58,7 +58,7 @@ nix store verify -r "$outPath2" --sigs-needed 1 --trusted-public-keys "$pk1"
 # Build something content-addressed.
 outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)

-nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and .hash.algorithm == "md5"'
+nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and (.hash | startswith("md5-"))'

 # Content-addressed paths don't need signatures, so they verify
 # regardless of --sigs-needed.
--- a/tests/nixos/fetchers-substitute.nix
+++ b/tests/nixos/fetchers-substitute.nix
@ -120,9 +120,8 @@
      # Get the NAR hash of the unpacked tarball in SRI format
      path_info_json = substituter.succeed(f"nix path-info --json-format 2 --json {tarball_store_path}").strip()
      path_info_dict = json.loads(path_info_json)["info"]
-      narHash_obj = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
-      # Convert from structured format {"algorithm": "sha256", "format": "base16", "hash": "..."} to SRI string
-      tarball_hash_sri = substituter.succeed(f"nix hash convert --to sri {narHash_obj['algorithm']}:{narHash_obj['hash']}").strip()
+      # narHash is already in SRI format
+      tarball_hash_sri = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
      print(f"Tarball NAR hash (SRI): {tarball_hash_sri}")

      # Also get the old format hash for fetchTarball (which uses sha256 parameter)
				`@ -0,0 +1 @@`
				`"blake3-nnDuFEmWX7YtBJBAoe0G7Dd0MNpuwTFz58T//NKL6YA="`
				`@ -0,0 +1 @@`
				`"sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="`