Merge pull request #14743 from NixOS/sri-in-json

Use SRI hash (strings) as the official JSON format for Hash after all
2025-12-12 20:11:03 +01:00 · 2025-12-08 22:25:11 +00:00 · 2025-12-08 22:25:11 +00:00 · bc0af77ba7
commit bc0af77ba7
parent 8ab5c2bc21 61de9222b0
45 changed files with 84 additions and 353 deletions
--- a/doc/manual/rl-next/json-format-changes.md
+++ b/doc/manual/rl-next/json-format-changes.md
@ -49,17 +49,10 @@ The new structured format follows the [JSON guidelines](@docroot@/development/js
  Content address is now a structured JSON object instead of a string:

  - Old: `"ca": "fixed:r:sha256:1abc..."`
-  - New: `"ca": {"method": "nar", "hash": {"algorithm": "sha256", "format": "base16", "hash": "10c209fa..."}}`
+  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
  - Still `null` values for input-addressed store objects

- **Structured hash fields**:
-
-  Hash values (`narHash` and `downloadHash`) are now structured JSON objects instead of strings:
-
-  - Old: `"narHash": "sha256:FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc="`
-  - New: `"narHash": {"algorithm": "sha256", "format": "base16", "hash": "15e3c5608946..."}`
-  - Same structure applies to `downloadHash` in NAR info contexts
-  - The `format` field is always `"base16"` (hexadecimal)
+  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.

 Nix currently only produces, and doesn't consume this format.

@ -87,7 +80,7 @@ The derivation JSON format has been updated from version 3 to version 4:

 - **Consistent content addresses**:

-  Floating content-addressed outputs now use structured JSON format.
+  Fixed content-addressed outputs now use structured JSON format.
  This is the same format as `ca` in store path info (after the new version).

 Version 3 and earlier formats are *not* accepted when reading.
--- a/doc/manual/source/protocols/json/hash.md
+++ b/doc/manual/source/protocols/json/hash.md
@ -5,13 +5,13 @@
 ### SHA-256

 ```json
-{{#include schema/hash-v1/sha256-base16.json}}
+{{#include schema/hash-v1/sha256.json}}
 ```

 ### BLAKE3

 ```json
-{{#include schema/hash-v1/blake3-base16.json}}
+{{#include schema/hash-v1/blake3.json}}
 ```

 <!-- need to convert YAML to JSON first
--- a/doc/manual/source/protocols/json/schema/hash-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/hash-v1.yaml
@ -4,36 +4,13 @@ title: Hash
 description: |
  A cryptographic hash value used throughout Nix for content addressing and integrity verification.

-  This schema describes the JSON representation of Nix's `Hash` type.
-type: object
-properties:
-  algorithm:
-    "$ref": "#/$defs/algorithm"
-  format:
-    type: string
-    enum:
-    - base16
-    title: Hash format
-    description: |
-      The encoding format of the hash value.
+  This schema describes the JSON representation of Nix's `Hash` type as an [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) string.
+type: string
+pattern: "^(blake3|md5|sha1|sha256|sha512)-[A-Za-z0-9+/]+=*$"
+examples:
+- "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="
+- "sha512-IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ=="

-      `base16` (lowercase hexadecimal) is the only format that is currently supported for JSON serialization.
-      This field exists primarily to reduce ambiguity about what the hash means.
-      It would also help us support other formats in the future, but there are no concrete plans to do so at this.
-  hash:
-    type: string
-    title: Hash
-    description: |
-      The encoded hash value, itself.
-
-      It is specified in the format specified by the `format` field.
-      It must be the right length for the hash algorithm specified in the `algorithm` field, also.
-      The hash value does not include any algorithm prefix.
-required:
- algorithm
- format
- hash
-additionalProperties: false
 "$defs":
  algorithm:
    type: string
--- a/src/json-schema-checks/meson.build
+++ b/src/json-schema-checks/meson.build
@ -32,8 +32,8 @@ schemas = [
    'stem' : 'hash',
    'schema' : schema_dir / 'hash-v1.yaml',
    'files' : [
-      'sha256-base16.json',
-      'blake3-base16.json',
+      'sha256.json',
+      'blake3.json',
    ],
  },
  {
--- a/src/libstore-tests/data/common-protocol/content-address.json
+++ b/src/libstore-tests/data/common-protocol/content-address.json
@ -1,26 +1,14 @@
 [
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
-    },
+    "hash": "sha256-+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0=",
    "method": "text"
  },
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  },
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  }
 ]
--- a/src/libstore-tests/data/common-protocol/optional-content-address.json
+++ b/src/libstore-tests/data/common-protocol/optional-content-address.json
@ -1,11 +1,7 @@
 [
  null,
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  }
 ]
--- a/src/libstore-tests/data/content-address/nar.json
+++ b/src/libstore-tests/data/content-address/nar.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "f6f2ea8f45d8a057c9566a33f99474da2e5c6a6604d736121650e2730c6fb0a3"
-  },
+  "hash": "sha256-9vLqj0XYoFfJVmoz+ZR02i5camYE1zYSFlDicwxvsKM=",
  "method": "nar"
 }
--- a/src/libstore-tests/data/content-address/text.json
+++ b/src/libstore-tests/data/content-address/text.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
-  },
+  "hash": "sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts=",
  "method": "text"
 }
--- a/src/libstore-tests/data/derivation/output-caFixedFlat.json
+++ b/src/libstore-tests/data/derivation/output-caFixedFlat.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
-  },
+  "hash": "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8=",
  "method": "flat"
 }
--- a/src/libstore-tests/data/derivation/output-caFixedNAR.json
+++ b/src/libstore-tests/data/derivation/output-caFixedNAR.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
-  },
+  "hash": "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8=",
  "method": "nar"
 }
--- a/src/libstore-tests/data/derivation/output-caFixedText.json
+++ b/src/libstore-tests/data/derivation/output-caFixedText.json
@ -1,8 +1,4 @@
 {
-  "hash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
-  },
+  "hash": "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8=",
  "method": "text"
 }
--- a/src/libstore-tests/data/dummy-store/one-flat-file.json
+++ b/src/libstore-tests/data/dummy-store/one-flat-file.json
@ -12,19 +12,11 @@
      },
      "info": {
        "ca": {
-          "hash": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "7f579dbae488602d41a1f5c0d6dc9c17bf408b635230942d504af1e43c4b6125"
-          },
+          "hash": "sha256-f1eduuSIYC1BofXA1tycF79Ai2NSMJQtUErx5DxLYSU=",
          "method": "nar"
        },
        "deriver": null,
-        "narHash": {
-          "algorithm": "sha256",
-          "format": "base16",
-          "hash": "7f579dbae488602d41a1f5c0d6dc9c17bf408b635230942d504af1e43c4b6125"
-        },
+        "narHash": "sha256-f1eduuSIYC1BofXA1tycF79Ai2NSMJQtUErx5DxLYSU=",
        "narSize": 120,
        "references": [],
        "registrationTime": null,
--- a/src/libstore-tests/data/nar-info/json-2/impure.json
+++ b/src/libstore-tests/data/nar-info/json-2/impure.json
@ -1,25 +1,13 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
  "compression": "xz",
  "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-  "downloadHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "downloadHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "downloadSize": 4029176,
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/nar-info/json-2/pure.json
+++ b/src/libstore-tests/data/nar-info/json-2/pure.json
@ -1,17 +1,9 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/path-info/json-2/empty_impure.json
+++ b/src/libstore-tests/data/path-info/json-2/empty_impure.json
@ -1,11 +1,7 @@
 {
  "ca": null,
  "deriver": null,
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 0,
  "references": [],
  "registrationTime": null,
--- a/src/libstore-tests/data/path-info/json-2/empty_pure.json
+++ b/src/libstore-tests/data/path-info/json-2/empty_pure.json
@ -1,10 +1,6 @@
 {
  "ca": null,
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 0,
  "references": [],
  "storeDir": "/nix/store",
--- a/src/libstore-tests/data/path-info/json-2/impure.json
+++ b/src/libstore-tests/data/path-info/json-2/impure.json
@ -1,18 +1,10 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
  "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/path-info/json-2/pure.json
+++ b/src/libstore-tests/data/path-info/json-2/pure.json
@ -1,17 +1,9 @@
 {
  "ca": {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  },
-  "narHash": {
-    "algorithm": "sha256",
-    "format": "base16",
-    "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-  },
+  "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
  "narSize": 34878,
  "references": [
    "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/serve-protocol/content-address.json
+++ b/src/libstore-tests/data/serve-protocol/content-address.json
@ -1,26 +1,14 @@
 [
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
-    },
+    "hash": "sha256-+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0=",
    "method": "text"
  },
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  },
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  }
 ]
--- a/src/libstore-tests/data/serve-protocol/optional-content-address.json
+++ b/src/libstore-tests/data/serve-protocol/optional-content-address.json
@ -1,11 +1,7 @@
 [
  null,
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  }
 ]
--- a/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.3.json
+++ b/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.3.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "0000000000000000000000000000000000000000000000000000000000000000"
-    },
+    "narHash": "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "narSize": 34878,
    "references": [],
    "registrationTime": null,
@ -18,11 +14,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "0000000000000000000000000000000000000000000000000000000000000000"
-    },
+    "narHash": "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "narSize": 34878,
    "references": [
      "g1w7hyyyy1w7hy3qg1w7hy3qgqqqqy3q-foo.drv"
--- a/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.4.json
+++ b/src/libstore-tests/data/serve-protocol/unkeyed-valid-path-info-2.4.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [
      "g1w7hyyyy1w7hy3qg1w7hy3qgqqqqy3q-foo.drv"
@ -19,19 +15,11 @@
  },
  {
    "ca": {
-      "hash": {
-        "algorithm": "sha256",
-        "format": "base16",
-        "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-      },
+      "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
      "method": "nar"
    },
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [
      "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
--- a/src/libstore-tests/data/worker-protocol/content-address.json
+++ b/src/libstore-tests/data/worker-protocol/content-address.json
@ -1,26 +1,14 @@
 [
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
-    },
+    "hash": "sha256-+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0=",
    "method": "text"
  },
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  },
  {
-    "hash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-    },
+    "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
    "method": "nar"
  }
 ]
--- a/src/libstore-tests/data/worker-protocol/optional-content-address.json
+++ b/src/libstore-tests/data/worker-protocol/optional-content-address.json
@ -1,11 +1,7 @@
 [
  null,
  {
-    "hash": {
-      "algorithm": "sha1",
-      "format": "base16",
-      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
-    },
+    "hash": "sha1-gGemBoenViNZM3hiwqns/Fgzqwo=",
    "method": "flat"
  }
 ]
--- a/src/libstore-tests/data/worker-protocol/unkeyed-valid-path-info-1.15.json
+++ b/src/libstore-tests/data/worker-protocol/unkeyed-valid-path-info-1.15.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [],
    "registrationTime": 23423,
@ -18,11 +14,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "references": [
      "g1w7hyyyy1w7hy3qg1w7hy3qgqqqqy3q-foo.drv"
--- a/src/libstore-tests/data/worker-protocol/valid-path-info-1.15.json
+++ b/src/libstore-tests/data/worker-protocol/valid-path-info-1.15.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [],
@ -19,11 +15,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [
--- a/src/libstore-tests/data/worker-protocol/valid-path-info-1.16.json
+++ b/src/libstore-tests/data/worker-protocol/valid-path-info-1.16.json
@ -2,11 +2,7 @@
  {
    "ca": null,
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [],
@ -19,11 +15,7 @@
  {
    "ca": null,
    "deriver": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar.drv",
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-bar",
    "references": [
@ -41,19 +33,11 @@
  },
  {
    "ca": {
-      "hash": {
-        "algorithm": "sha256",
-        "format": "base16",
-        "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
-      },
+      "hash": "sha256-EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM=",
      "method": "nar"
    },
    "deriver": null,
-    "narHash": {
-      "algorithm": "sha256",
-      "format": "base16",
-      "hash": "15e3c560894cbb27085cf65b5a2ecb18488c999497f4531b6907a7581ce6d527"
-    },
+    "narHash": "sha256-FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc=",
    "narSize": 34878,
    "path": "n5wkd9frr45pa74if5gpz9j7mifg27fh-foo",
    "references": [
--- a/src/libutil-tests/data/hash/blake3-base16.json
+++ b/src/libutil-tests/data/hash/blake3-base16.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "blake3",
-  "format": "base16",
-  "hash": "9e70ee1449965fb62d049040a1ed06ec377430da6ec13173e7c4fffcd28be980"
-}
--- a/src/libutil-tests/data/hash/blake3.json
+++ b/src/libutil-tests/data/hash/blake3.json
@ -0,0 +1 @@
+"blake3-nnDuFEmWX7YtBJBAoe0G7Dd0MNpuwTFz58T//NKL6YA="
--- a/src/libutil-tests/data/hash/sha256-base16.json
+++ b/src/libutil-tests/data/hash/sha256-base16.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "sha256",
-  "format": "base16",
-  "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
-}
--- a/src/libutil-tests/data/hash/sha256-base64.json
+++ b/src/libutil-tests/data/hash/sha256-base64.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "sha256",
-  "format": "base64",
-  "hash": "8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
-}
--- a/src/libutil-tests/data/hash/sha256-nix32.json
+++ b/src/libutil-tests/data/hash/sha256-nix32.json
@ -1,5 +0,0 @@
-{
-    "algorithm": "sha256",
-    "format": "nix32",
-    "hash": "0fz12qc1nillhvhw6bvs4ka18789x8dqaipjb316x4aqdkvw5r7h"
-}
--- a/src/libutil-tests/data/hash/sha256.json
+++ b/src/libutil-tests/data/hash/sha256.json
@ -0,0 +1 @@
+"sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
--- a/src/libutil-tests/data/hash/sha512.json
+++ b/src/libutil-tests/data/hash/sha512.json
@ -0,0 +1 @@
+"sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
--- a/src/libutil-tests/data/hash/simple.json
+++ b/src/libutil-tests/data/hash/simple.json
@ -1,5 +0,0 @@
-{
-  "algorithm": "sha256",
-  "format": "base16",
-  "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
-}
--- a/src/libutil-tests/hash.cc
+++ b/src/libutil-tests/hash.cc
@ -215,9 +215,6 @@ struct HashJsonTest : virtual HashTest,
                      ::testing::WithParamInterface<std::pair<std::string_view, Hash>>
 {};

-struct HashJsonParseFailureTest : virtual HashTest, ::testing::WithParamInterface<std::string_view>
-{};
-
 struct BLAKE3HashJsonTest : virtual HashTest,
                            BLAKE3HashTest,
                            JsonCharacterizationTest<Hash>,
@ -236,14 +233,6 @@ TEST_P(HashJsonTest, to_json)
    writeJsonTest(name, value);
 }

-TEST_P(HashJsonParseFailureTest, from_json)
-{
-    auto & name = GetParam();
-    auto path = goldenMaster(Path{name} + ".json");
-    auto encoded = json::parse(readFile(path));
-    ASSERT_THROW(nlohmann::adl_serializer<Hash>::from_json(encoded), Error);
-}
-
 TEST_P(BLAKE3HashJsonTest, from_json)
 {
    auto & [name, expected] = GetParam();
@ -256,32 +245,25 @@ TEST_P(BLAKE3HashJsonTest, to_json)
    writeJsonTest(name, expected);
 }

-// Round-trip tests (from_json + to_json) for base16 format only
-// (to_json always outputs base16)
 INSTANTIATE_TEST_SUITE_P(
    HashJSON,
    HashJsonTest,
    ::testing::Values(
        std::pair{
-            "simple",
+            "sha256",
            hashString(HashAlgorithm::SHA256, "asdf"),
        },
        std::pair{
-            "sha256-base16",
+            "sha512",
            hashString(HashAlgorithm::SHA256, "asdf"),
        }));

-// Failure tests for unsupported formats (base64, nix32, sri)
-// These verify that non-base16 formats are rejected
-INSTANTIATE_TEST_SUITE_P(
-    HashJSONParseFailure, HashJsonParseFailureTest, ::testing::Values("sha256-base64", "sha256-nix32"));
-
 INSTANTIATE_TEST_SUITE_P(BLAKE3HashJSON, BLAKE3HashJsonTest, ([] {
                             ExperimentalFeatureSettings mockXpSettings;
                             mockXpSettings.set("experimental-features", "blake3-hashes");
                             return ::testing::Values(
                                 std::pair{
-                                     "blake3-base16",
+                                     "blake3",
                                     hashString(HashAlgorithm::BLAKE3, "asdf", mockXpSettings),
                                 });
                         }()));
--- a/src/libutil/hash.cc
+++ b/src/libutil/hash.cc
@ -164,7 +164,7 @@ static Hash parseLowLevel(
    return res;
 }

-Hash Hash::parseSRI(std::string_view original)
+Hash Hash::parseSRI(std::string_view original, const ExperimentalFeatureSettings & xpSettings)
 {
    auto rest = original;

@ -172,9 +172,9 @@ Hash Hash::parseSRI(std::string_view original)
    auto hashRaw = splitPrefixTo(rest, '-');
    if (!hashRaw)
        throw BadHash("hash '%s' is not SRI", original);
-    HashAlgorithm parsedType = parseHashAlgo(*hashRaw);
+    HashAlgorithm parsedType = parseHashAlgo(*hashRaw, xpSettings);

-    return parseLowLevel(rest, parsedType, {base64::decode, "SRI"});
+    return parseLowLevel(rest, parsedType, {base64::decode, "SRI"}, xpSettings);
 }

 /**
@ -519,27 +519,13 @@ using namespace nix;

 Hash adl_serializer<Hash>::from_json(const json & json, const ExperimentalFeatureSettings & xpSettings)
 {
-    auto & obj = getObject(json);
-    auto algo = parseHashAlgo(getString(valueAt(obj, "algorithm")), xpSettings);
-    auto formatStr = getString(valueAt(obj, "format"));
-    auto format = parseHashFormat(formatStr);
-
-    // Only base16 format is supported for JSON serialization
-    if (format != HashFormat::Base16) {
-        throw Error("hash format '%s' is not supported in JSON; only 'base16' is currently supported", formatStr);
-    }
-
-    auto & hashS = getString(valueAt(obj, "hash"));
-    return Hash::parseExplicitFormatUnprefixed(hashS, algo, format, xpSettings);
+    auto & s = getString(json);
+    return Hash::parseSRI(s, xpSettings);
 }

 void adl_serializer<Hash>::to_json(json & json, const Hash & hash)
 {
-    json = {
-        {"format", printHashFormat(HashFormat::Base16)},
-        {"algorithm", printHashAlgo(hash.algo)},
-        {"hash", hash.to_string(HashFormat::Base16, false)},
-    };
+    json = hash.to_string(HashFormat::SRI, true);
 }

 } // namespace nlohmann
--- a/src/libutil/include/nix/util/hash.hh
+++ b/src/libutil/include/nix/util/hash.hh
@ -110,7 +110,8 @@ struct Hash
        HashFormat explicitFormat,
        const ExperimentalFeatureSettings & xpSettings = experimentalFeatureSettings);

-    static Hash parseSRI(std::string_view original);
+    static Hash
+    parseSRI(std::string_view original, const ExperimentalFeatureSettings & xpSettings = experimentalFeatureSettings);

 public:
    /**
--- a/tests/functional/fixed.sh
+++ b/tests/functional/fixed.sh
@ -17,11 +17,7 @@ nix-build fixed.nix -A bad --no-out-link && fail "should fail"
 nix path-info --json --json-format 2 "$path" | jq -e \
    '.info.[].ca == {
        method: "flat",
-        hash: {
-            algorithm: "md5",
-            format: "base16",
-            hash: "8ddd8be4b179a529afa5f2ffae4b9858"
-        },
+        hash: "md5-jd2L5LF5pSmvpfL/rkuYWA=="
    }'

 echo 'testing good...'
--- a/tests/functional/git-hashing/simple-common.sh
+++ b/tests/functional/git-hashing/simple-common.sh
@ -47,16 +47,15 @@ try2 () {
    hashFromGit=$(git -C "$repo" rev-parse "HEAD:$hashPath")
    [[ "$hashFromGit" == "$expected" ]]

+    # Convert base16 hash to SRI format for comparison
+    local hashSRI
+    hashSRI=$(nix hash convert --from base16 --to sri --hash-algo "$hashAlgo" "$hashFromGit")
+
    nix path-info --json --json-format 2 "$path" | jq -e \
-        --arg algo "$hashAlgo" \
-        --arg hash "$hashFromGit" \
+        --arg hashSRI "$hashSRI" \
        '.info.[].ca == {
            method: "git",
-            hash: {
-                algorithm: $algo,
-                format: "base16",
-                hash: $hash
-            },
+            hash: $hashSRI
        }'
 }

--- a/tests/functional/impure-derivations.sh
+++ b/tests/functional/impure-derivations.sh
@ -30,7 +30,7 @@ path1_stuff=$(echo "$json" | jq -r .[].outputs.stuff)
 [[ $(< "$path1"/n) = 0 ]]
 [[ $(< "$path1_stuff"/bla) = 0 ]]

-nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$path1" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 path2=$(nix build -L --no-link --json --file ./impure-derivations.nix impure | jq -r .[].outputs.out)
 [[ $(< "$path2"/n) = 1 ]]
--- a/tests/functional/nix-profile.sh
+++ b/tests/functional/nix-profile.sh
@ -166,7 +166,7 @@ printf 4.0 > "$flake1Dir"/version
 printf Utrecht > "$flake1Dir"/who
 nix profile add "$flake1Dir"
 [[ $("$TEST_HOME"/.nix-profile/bin/hello) = "Hello Utrecht" ]]
-nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and .hash.algorithm == "sha256"'
+nix path-info --json --json-format 2 "$(realpath "$TEST_HOME"/.nix-profile/bin/hello)" | jq -e '.info.[].ca | .method == "nar" and (.hash | startswith("sha256-"))'

 # Override the outputs.
 nix profile remove simple flake1
--- a/tests/functional/path-info.sh
+++ b/tests/functional/path-info.sh
@ -20,16 +20,8 @@ diff --unified --color=always \
        jq --sort-keys '.info | map_values(.narHash)') \
    <(jq --sort-keys <<-EOF
        {
-          "$fooBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "42fb4031b525feebe2f8b08e6e6a8e86f34e6a91dd036ada888e311b9cc8e690"
-          },
-          "$barBase": {
-            "algorithm": "sha256",
-            "format": "base16",
-            "hash": "f5f8581aef5fab17100b629cf35aa1d91328d5070b054068f14fa93e7fa3b614"
-          },
+          "$fooBase": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$barBase": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
          "$bazBase": null
        }
 EOF
--- a/tests/functional/signing.sh
+++ b/tests/functional/signing.sh
@ -58,7 +58,7 @@ nix store verify -r "$outPath2" --sigs-needed 1 --trusted-public-keys "$pk1"
 # Build something content-addressed.
 outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)

-nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and .hash.algorithm == "md5"'
+nix path-info --json --json-format 2 "$outPathCA" | jq -e '.info.[].ca | .method == "flat" and (.hash | startswith("md5-"))'

 # Content-addressed paths don't need signatures, so they verify
 # regardless of --sigs-needed.
--- a/tests/nixos/fetchers-substitute.nix
+++ b/tests/nixos/fetchers-substitute.nix
@ -120,9 +120,8 @@
      # Get the NAR hash of the unpacked tarball in SRI format
      path_info_json = substituter.succeed(f"nix path-info --json-format 2 --json {tarball_store_path}").strip()
      path_info_dict = json.loads(path_info_json)["info"]
-      narHash_obj = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
-      # Convert from structured format {"algorithm": "sha256", "format": "base16", "hash": "..."} to SRI string
-      tarball_hash_sri = substituter.succeed(f"nix hash convert --to sri {narHash_obj['algorithm']}:{narHash_obj['hash']}").strip()
+      # narHash is already in SRI format
+      tarball_hash_sri = path_info_dict[os.path.basename(tarball_store_path)]["narHash"]
      print(f"Tarball NAR hash (SRI): {tarball_hash_sri}")

      # Also get the old format hash for fetchTarball (which uses sha256 parameter)
				`@ -0,0 +1 @@`
				`"blake3-nnDuFEmWX7YtBJBAoe0G7Dd0MNpuwTFz58T//NKL6YA="`
				`@ -0,0 +1 @@`
				`"sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="`