Merge pull request #14743 from NixOS/sri-in-json

Use SRI hash (strings) as the official JSON format for Hash after all

tests/functional/fixed.sh

@@ -17,11 +17,7 @@ nix-build fixed.nix -A bad --no-out-link && fail "should fail"
 nix path-info --json --json-format 2 "$path" | jq -e \
     '.info.[].ca == {
         method: "flat",
-        hash: {
-            algorithm: "md5",
-            format: "base16",
-            hash: "8ddd8be4b179a529afa5f2ffae4b9858"
-        },
+        hash: "md5-jd2L5LF5pSmvpfL/rkuYWA=="
     }'
 
 echo 'testing good...'

tests/functional/git-hashing/simple-common.sh

@@ -47,16 +47,15 @@ try2 () {
     hashFromGit=$(git -C "$repo" rev-parse "HEAD:$hashPath")
     [[ "$hashFromGit" == "$expected" ]]
 
+    # Convert base16 hash to SRI format for comparison
+    local hashSRI
+    hashSRI=$(nix hash convert --from base16 --to sri --hash-algo "$hashAlgo" "$hashFromGit")
+
     nix path-info --json --json-format 2 "$path" | jq -e \
-        --arg algo "$hashAlgo" \
-        --arg hash "$hashFromGit" \
+        --arg hashSRI "$hashSRI" \
         '.info.[].ca == {
             method: "git",
-            hash: {
-                algorithm: $algo,
-                format: "base16",
-                hash: $hash
-            },
+            hash: $hashSRI
         }'
 }
 

tests/functional/impure-derivations.sh

@@ -30,7 +30,7 @@ path1_stuff=$(echo "$json" | jq -r .[].outputs.stuff)
 [[ $(< "$path1"/n) = 0 ]]
 [[ $(< "$path1_stuff"/bla) = 0 ]]
 
-nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'
 
 path2=$(nix build -L --no-link --json --file ./impure-derivations.nix impure | jq -r .[].outputs.out)
 [[ $(< "$path2"/n) = 1 ]]

tests/functional/nix-profile.sh

@@ -166,7 +166,7 @@ printf 4.0 > "$flake1Dir"/version
 printf Utrecht > "$flake1Dir"/who
 nix profile add "$flake1Dir"
 [[ $("$TEST_HOME"/.nix-profile/bin/hello) = "Hello Utrecht" ]]
-nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'
 
 # Override the outputs.
 nix profile remove simple flake1

tests/functional/path-info.sh

@@ -20,16 +20,8 @@ diff --unified --color=always \
         jq --sort-keys '.info | map_values(.narHash)') \
     <(jq --sort-keys <<-EOF
         {
-          "$fooBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "42fb4031b525feebe2f8b08e6e6a8e86f34e6a91dd036ada888e311b9cc8e690"
-          },
-          "$barBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "f5f8581aef5fab17100b629cf35aa1d91328d5070b054068f14fa93e7fa3b614"
-          },
+          "$fooBase": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$barBase": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
           "$bazBase": null
         }
 EOF

tests/functional/signing.sh

@@ -58,7 +58,7 @@ nix store verify -r "$outPath2" --sigs-needed 1 --trusted-public-keys "$pk1"
 # Build something content-addressed.
 outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)
 
-nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and .hash.algorithm == "md5"'
+nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and (.hash | startswith("md5-"))'
 
 # Content-addressed paths don't need signatures, so they verify
 # regardless of --sigs-needed.