Use SRI hash (strings) as the official JSON format for Hash after all

The fact that we were introducing a conversion from the output of `nix path-info` into the input of `builtins.fetchTree` was the deciding factor. We want scripting outputs into inputs like that to be easy. Since JSON strings and objects are trivially distinguishable, we still have the option of introducing the JSON format as an alternative input scheme in the future, should we want to. (The output format would still be SRI in that case, presumably.)
2025-12-12 20:11:03 +01:00 · 2025-12-08 15:34:15 -05:00 · 2025-12-08 15:34:15 -05:00 · 61de9222b0
commit 61de9222b0
parent 401e08f839
44 changed files with 78 additions and 348 deletions
--- a/tests/functional/fixed.sh
+++ b/tests/functional/fixed.sh
@ -17,11 +17,7 @@ nix-build fixed.nix -A bad --no-out-link && fail "should fail"
 nix path-info --json --json-format 2 "$path" | jq -e \
    '.info.[].ca == {
        method: "flat",
-        hash: {
-            algorithm: "md5",
-            format: "base16",
-            hash: "8ddd8be4b179a529afa5f2ffae4b9858"
-        },
+        hash: "md5-jd2L5LF5pSmvpfL/rkuYWA=="
    }'

 echo 'testing good...'
--- a/tests/functional/git-hashing/simple-common.sh
+++ b/tests/functional/git-hashing/simple-common.sh
@ -47,16 +47,15 @@ try2 () {
    hashFromGit=$(git -C "$repo" rev-parse "HEAD:$hashPath")
    [[ "$hashFromGit" == "$expected" ]]

+    # Convert base16 hash to SRI format for comparison
+    local hashSRI
+    hashSRI=$(nix hash convert --from base16 --to sri --hash-algo "$hashAlgo" "$hashFromGit")
+
    nix path-info --json --json-format 2 "$path" | jq -e \
-        --arg algo "$hashAlgo" \
-        --arg hash "$hashFromGit" \
+        --arg hashSRI "$hashSRI" \
        '.info.[].ca == {
            method: "git",
-            hash: {
-                algorithm: $algo,
-                format: "base16",
-                hash: $hash
-            },
+            hash: $hashSRI
        }'
 }

--- a/tests/functional/impure-derivations.sh
+++ b/tests/functional/impure-derivations.sh
@ -30,7 +30,7 @@ path1_stuff=$(echo "$json" | jq -r .[].outputs.stuff)
 [[ $(< "$path1"/n) = 0 ]]
 [[ $(< "$path1_stuff"/bla) = 0 ]]

-nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 path2=$(nix build -L --no-link --json --file ./impure-derivations.nix impure | jq -r .[].outputs.out)
 [[ $(< "$path2"/n) = 1 ]]
--- a/tests/functional/nix-profile.sh
+++ b/tests/functional/nix-profile.sh
@ -166,7 +166,7 @@ printf 4.0 > "$flake1Dir"/version
 printf Utrecht > "$flake1Dir"/who
 nix profile add "$flake1Dir"
 [[ $("$TEST_HOME"/.nix-profile/bin/hello) = "Hello Utrecht" ]]
-nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 # Override the outputs.
 nix profile remove simple flake1
--- a/tests/functional/path-info.sh
+++ b/tests/functional/path-info.sh
@ -20,16 +20,8 @@ diff --unified --color=always \
        jq --sort-keys '.info | map_values(.narHash)') \
    <(jq --sort-keys <<-EOF
        {
-          "$fooBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "42fb4031b525feebe2f8b08e6e6a8e86f34e6a91dd036ada888e311b9cc8e690"
-          },
-          "$barBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "f5f8581aef5fab17100b629cf35aa1d91328d5070b054068f14fa93e7fa3b614"
-          },
+          "$fooBase": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$barBase": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
          "$bazBase": null
        }
 EOF
--- a/tests/functional/signing.sh
+++ b/tests/functional/signing.sh
@ -58,7 +58,7 @@ nix store verify -r "$outPath2" --sigs-needed 1 --trusted-public-keys "$pk1"
 # Build something content-addressed.
 outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)

-nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and .hash.algorithm == "md5"'
+nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and (.hash | startswith("md5-"))'

 # Content-addressed paths don't need signatures, so they verify
 # regardless of --sigs-needed.
--- a/tests/nixos/fetchers-substitute.nix
+++ b/tests/nixos/fetchers-substitute.nix
@ -120,9 +120,8 @@
      # Get the NAR hash of the unpacked tarball in SRI format
      path_info_json = substituter.succeed(f"nix path-info --json-format 2 --json {tarball_store_path}").strip()
      path_info_dict = json.loads(path_info_json)["info"]
-      narHash_obj = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
-      # Convert from structured format {"algorithm": "sha256", "format": "base16", "hash": "..."} to SRI string
-      tarball_hash_sri = substituter.succeed(f"nix hash convert --to sri {narHash_obj['algorithm']}:{narHash_obj['hash']}").strip()
+      # narHash is already in SRI format
+      tarball_hash_sri = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
      print(f"Tarball NAR hash (SRI): {tarball_hash_sri}")

      # Also get the old format hash for fetchTarball (which uses sha256 parameter)