6024dc1d97
SRI hashes (https://www.w3.org/TR/SRI/) combine the hash algorithm and a base-64 hash. This allows more concise and standard hash specifications. For example, instead of import <nix/fetchurl.nl> { url = https://nixos.org/releases/nix/nix-2.1.3/nix-2.1.3.tar.xz; sha256 = "5d22dad058d5c800d65a115f919da22938c50dd6ba98c5e3a183172d149840a4"; }; you can write import <nix/fetchurl.nl> { url = https://nixos.org/releases/nix/nix-2.1.3/nix-2.1.3.tar.xz; hash = "sha256-XSLa0FjVyADWWhFfkZ2iKTjFDda6mMXjoYMXLRSYQKQ="; }; In fixed-output derivations, the outputHashAlgo is no longer mandatory if outputHash specifies the hash (either as an SRI or in the old "<type>:<hash>" format). 'nix hash-{file,path}' now print hashes in SRI format by default. I also reverted them to use SHA-256 by default because that's what we're using most of the time in Nixpkgs. Suggested by @zimbatm.
74 lines
2.1 KiB
Bash
74 lines
2.1 KiB
Bash
source common.sh
|
|
|
|
clearStore
|
|
|
|
# Test fetching a flat file.
|
|
hash=$(nix-hash --flat --type sha256 ./fetchurl.sh)
|
|
|
|
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link --hashed-mirrors '')
|
|
|
|
cmp $outPath fetchurl.sh
|
|
|
|
# Now using a base-64 hash.
|
|
clearStore
|
|
|
|
hash=$(nix hash-file --type sha512 --base64 ./fetchurl.sh)
|
|
|
|
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link --hashed-mirrors '')
|
|
|
|
cmp $outPath fetchurl.sh
|
|
|
|
# Now using an SRI hash.
|
|
clearStore
|
|
|
|
hash=$(nix hash-file ./fetchurl.sh)
|
|
|
|
[[ $hash =~ ^sha512- ]]
|
|
|
|
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr hash $hash --no-out-link --hashed-mirrors '')
|
|
|
|
cmp $outPath fetchurl.sh
|
|
|
|
# Test the hashed mirror feature.
|
|
clearStore
|
|
|
|
hash=$(nix hash-file --type sha512 --base64 ./fetchurl.sh)
|
|
hash32=$(nix hash-file --type sha512 --base16 ./fetchurl.sh)
|
|
|
|
mirror=$TMPDIR/hashed-mirror
|
|
rm -rf $mirror
|
|
mkdir -p $mirror/sha512
|
|
ln -s $(pwd)/fetchurl.sh $mirror/sha512/$hash32
|
|
|
|
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha512 $hash --no-out-link --hashed-mirrors "file://$mirror")
|
|
|
|
# Test unpacking a NAR.
|
|
rm -rf $TEST_ROOT/archive
|
|
mkdir -p $TEST_ROOT/archive
|
|
cp ./fetchurl.sh $TEST_ROOT/archive
|
|
chmod +x $TEST_ROOT/archive/fetchurl.sh
|
|
ln -s foo $TEST_ROOT/archive/symlink
|
|
nar=$TEST_ROOT/archive.nar
|
|
nix-store --dump $TEST_ROOT/archive > $nar
|
|
|
|
hash=$(nix-hash --flat --type sha256 $nar)
|
|
|
|
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$nar --argstr sha256 $hash \
|
|
--arg unpack true --argstr name xyzzy --no-out-link)
|
|
|
|
echo $outPath | grep -q 'xyzzy'
|
|
|
|
test -x $outPath/fetchurl.sh
|
|
test -L $outPath/symlink
|
|
|
|
nix-store --delete $outPath
|
|
|
|
# Test unpacking a compressed NAR.
|
|
narxz=$TEST_ROOT/archive.nar.xz
|
|
rm -f $narxz
|
|
xz --keep $nar
|
|
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$narxz --argstr sha256 $hash \
|
|
--arg unpack true --argstr name xyzzy --no-out-link)
|
|
|
|
test -x $outPath/fetchurl.sh
|
|
test -L $outPath/symlink
|