Merge pull request #14743 from NixOS/sri-in-json

Use SRI hash (strings) as the official JSON format for Hash after all
2025-12-12 12:01:05 +01:00 · 2025-12-08 22:25:11 +00:00 · 2025-12-08 22:25:11 +00:00 · bc0af77ba7
commit bc0af77ba7
parent 8ab5c2bc21 61de9222b0
45 changed files with 84 additions and 353 deletions
--- a/tests/functional/fixed.sh
+++ b/tests/functional/fixed.sh
@ -17,11 +17,7 @@ nix-build fixed.nix -A bad --no-out-link && fail "should fail"
 nix path-info --json --json-format 2 "$path" | jq -e \
    '.info.[].ca == {
        method: "flat",
-        hash: {
-            algorithm: "md5",
-            format: "base16",
-            hash: "8ddd8be4b179a529afa5f2ffae4b9858"
-        },
+        hash: "md5-jd2L5LF5pSmvpfL/rkuYWA=="
    }'

 echo 'testing good...'
--- a/tests/functional/git-hashing/simple-common.sh
+++ b/tests/functional/git-hashing/simple-common.sh
@ -47,16 +47,15 @@ try2 () {
    hashFromGit=$(git -C "$repo" rev-parse "HEAD:$hashPath")
    [[ "$hashFromGit" == "$expected" ]]

+    # Convert base16 hash to SRI format for comparison
+    local hashSRI
+    hashSRI=$(nix hash convert --from base16 --to sri --hash-algo "$hashAlgo" "$hashFromGit")
+
    nix path-info --json --json-format 2 "$path" | jq -e \
-        --arg algo "$hashAlgo" \
-        --arg hash "$hashFromGit" \
+        --arg hashSRI "$hashSRI" \
        '.info.[].ca == {
            method: "git",
-            hash: {
-                algorithm: $algo,
-                format: "base16",
-                hash: $hash
-            },
+            hash: $hashSRI
        }'
 }

--- a/tests/functional/impure-derivations.sh
+++ b/tests/functional/impure-derivations.sh
@ -30,7 +30,7 @@ path1_stuff=$(echo "$json" | jq -r .[].outputs.stuff)
 [[ $(< "$path1"/n) = 0 ]]
 [[ $(< "$path1_stuff"/bla) = 0 ]]

-nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 path2=$(nix build -L --no-link --json --file ./impure-derivations.nix impure | jq -r .[].outputs.out)
 [[ $(< "$path2"/n) = 1 ]]
--- a/tests/functional/nix-profile.sh
+++ b/tests/functional/nix-profile.sh
@ -166,7 +166,7 @@ printf 4.0 > "$flake1Dir"/version
 printf Utrecht > "$flake1Dir"/who
 nix profile add "$flake1Dir"
 [[ $("$TEST_HOME"/.nix-profile/bin/hello) = "Hello Utrecht" ]]
-nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 # Override the outputs.
 nix profile remove simple flake1
--- a/tests/functional/path-info.sh
+++ b/tests/functional/path-info.sh
@ -20,16 +20,8 @@ diff --unified --color=always \
        jq --sort-keys '.info | map_values(.narHash)') \
    <(jq --sort-keys <<-EOF
        {
-          "$fooBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "42fb4031b525feebe2f8b08e6e6a8e86f34e6a91dd036ada888e311b9cc8e690"
-          },
-          "$barBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "f5f8581aef5fab17100b629cf35aa1d91328d5070b054068f14fa93e7fa3b614"
-          },
+          "$fooBase": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$barBase": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
          "$bazBase": null
        }
 EOF
--- a/tests/functional/signing.sh
+++ b/tests/functional/signing.sh
@ -58,7 +58,7 @@ nix store verify -r "$outPath2" --sigs-needed 1 --trusted-public-keys "$pk1"
 # Build something content-addressed.
 outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)

-nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and .hash.algorithm == "md5"'
+nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and (.hash | startswith("md5-"))'

 # Content-addressed paths don't need signatures, so they verify
 # regardless of --sigs-needed.
--- a/tests/nixos/fetchers-substitute.nix
+++ b/tests/nixos/fetchers-substitute.nix
@ -120,9 +120,8 @@
      # Get the NAR hash of the unpacked tarball in SRI format
      path_info_json = substituter.succeed(f"nix path-info --json-format 2 --json {tarball_store_path}").strip()
      path_info_dict = json.loads(path_info_json)["info"]
-      narHash_obj = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
-      # Convert from structured format {"algorithm": "sha256", "format": "base16", "hash": "..."} to SRI string
-      tarball_hash_sri = substituter.succeed(f"nix hash convert --to sri {narHash_obj['algorithm']}:{narHash_obj['hash']}").strip()
+      # narHash is already in SRI format
+      tarball_hash_sri = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
      print(f"Tarball NAR hash (SRI): {tarball_hash_sri}")

      # Also get the old format hash for fetchTarball (which uses sha256 parameter)