Merge pull request #14536 from NixOS/clamp-down-hash

JSON for `Hash` now has to be `Base16`

Author: Ericson2314

doc/manual/rl-next/json-format-changes.md

@@ -19,16 +19,17 @@ The store path info JSON format has been updated from version 1 to version 2:
   Content address is now a structured JSON object instead of a string:
 
   - Old: `"ca": "fixed:r:sha256:1abc..."`
-  - New: `"ca": {"method": "nar", "hash": {"algorithm": "sha256", "format": "base64", "hash": "EMIJ+giQ..."}}`
+  - New: `"ca": {"method": "nar", "hash": {"algorithm": "sha256", "format": "base16", "hash": "10c209fa..."}}`
   - Still `null` values for input-addressed store objects
 
 - **Structured hash fields**:
 
   Hash values (`narHash` and `downloadHash`) are now structured JSON objects instead of strings:
 
   - Old: `"narHash": "sha256:FePFYIlMuycIXPZbWi7LGEiMmZSX9FMbaQenWBzm1Sc="`
-  - New: `"narHash": {"algorithm": "sha256", "format": "base64", "hash": "FePFYIlM..."}`
+  - New: `"narHash": {"algorithm": "sha256", "format": "base16", "hash": "15e3c5608946..."}`
   - Same structure applies to `downloadHash` in NAR info contexts
+  - The `format` field is always `"base16"` (hexadecimal)
 
 Nix currently only produces, and doesn't consume this format.
 
@@ -48,8 +49,8 @@ The derivation JSON format has been updated from version 3 to version 4:
 - **Consistent content addresses**:
 
   Floating content-addressed outputs now use structured JSON format.
-  This is the same format as `ca` in in store path info (after the new version).
+  This is the same format as `ca` in store path info (after the new version).
 
 Version 3 and earlier formats are *not* accepted when reading.
 
-**Affected command**: `nix derivation`, namely it's `show` and `add` sub-commands.
+**Affected command**: `nix derivation`, namely its `show` and `add` sub-commands.

doc/manual/source/protocols/json/hash.md

@@ -2,28 +2,16 @@
 
 ## Examples
 
-### SHA-256 with Base64 encoding
-
-```json
-{{#include schema/hash-v1/sha256-base64.json}}
-```
-
-### SHA-256 with Base16 (hexadecimal) encoding
+### SHA-256
 
 ```json
 {{#include schema/hash-v1/sha256-base16.json}}
 ```
 
-### SHA-256 with Nix32 encoding
-
-```json
-{{#include schema/hash-v1/sha256-nix32.json}}
-```
-
-### BLAKE3 with Base64 encoding
+### BLAKE3
 
 ```json
-{{#include schema/hash-v1/blake3-base64.json}}
+{{#include schema/hash-v1/blake3-base16.json}}
 ```
 
 <!-- need to convert YAML to JSON first

doc/manual/source/protocols/json/schema/hash-v1.yaml

@@ -12,18 +12,14 @@ properties:
   format:
     type: string
     enum:
-    - base64
-    - nix32
     - base16
-    - sri
     title: Hash format
     description: |
       The encoding format of the hash value.
 
-      - `base64` uses standard Base64 encoding [RFC 4648, section 4](https://datatracker.ietf.org/doc/html/rfc4648#section-4)
-      - `nix32` is Nix-specific base-32 encoding
-      - `base16` is lowercase hexadecimal
-      - `sri` is the [Subresource Integrity format](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).
+      `base16` (lowercase hexadecimal) is the only format that is currently supported for JSON serialization.
+      This field exists primarily to reduce ambiguity about what the hash means.
+      It would also help us support other formats in the future, but there are no concrete plans to do so at this.
   hash:
     type: string
     title: Hash

src/json-schema-checks/meson.build

@@ -32,10 +32,8 @@ schemas = [
     'stem' : 'hash',
     'schema' : schema_dir / 'hash-v1.yaml',
     'files' : [
-      'sha256-base64.json',
       'sha256-base16.json',
-      'sha256-nix32.json',
-      'blake3-base64.json',
+      'blake3-base16.json',
     ],
   },
   {

src/libstore-tests/data/common-protocol/content-address.json

@@ -2,24 +2,24 @@
   {
     "hash": {
       "algorithm": "sha256",
-      "format": "base64",
-      "hash": "+Xc9Ll6mcPltwaewrk/BAQ56Y3G5T//wzhKUc0zrYu0="
+      "format": "base16",
+      "hash": "f9773d2e5ea670f96dc1a7b0ae4fc1010e7a6371b94ffff0ce1294734ceb62ed"
     },
     "method": "text"
   },
   {
     "hash": {
       "algorithm": "sha1",
-      "format": "base64",
-      "hash": "gGemBoenViNZM3hiwqns/Fgzqwo="
+      "format": "base16",
+      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
     },
     "method": "flat"
   },
   {
     "hash": {
       "algorithm": "sha256",
-      "format": "base64",
-      "hash": "EMIJ+giQ/gLIWoxmPKjno3zHZrxbGymgzGGyZvZBIdM="
+      "format": "base16",
+      "hash": "10c209fa0890fe02c85a8c663ca8e7a37cc766bc5b1b29a0cc61b266f64121d3"
     },
     "method": "nar"
   }

src/libstore-tests/data/common-protocol/optional-content-address.json

@@ -3,8 +3,8 @@
   {
     "hash": {
       "algorithm": "sha1",
-      "format": "base64",
-      "hash": "gGemBoenViNZM3hiwqns/Fgzqwo="
+      "format": "base16",
+      "hash": "8067a60687a7562359337862c2a9ecfc5833ab0a"
     },
     "method": "flat"
   }

src/libstore-tests/data/content-address/nar.json

@@ -1,8 +1,8 @@
 {
   "hash": {
     "algorithm": "sha256",
-    "format": "base64",
-    "hash": "9vLqj0XYoFfJVmoz+ZR02i5camYE1zYSFlDicwxvsKM="
+    "format": "base16",
+    "hash": "f6f2ea8f45d8a057c9566a33f99474da2e5c6a6604d736121650e2730c6fb0a3"
   },
   "method": "nar"
 }

src/libstore-tests/data/content-address/text.json

@@ -1,8 +1,8 @@
 {
   "hash": {
     "algorithm": "sha256",
-    "format": "base64",
-    "hash": "8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts="
+    "format": "base16",
+    "hash": "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"
   },
   "method": "text"
 }

src/libstore-tests/data/derivation/output-caFixedFlat.json

@@ -1,8 +1,8 @@
 {
   "hash": {
     "algorithm": "sha256",
-    "format": "base64",
-    "hash": "iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8="
+    "format": "base16",
+    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
   },
   "method": "flat"
 }

src/libstore-tests/data/derivation/output-caFixedNAR.json

@@ -1,8 +1,8 @@
 {
   "hash": {
     "algorithm": "sha256",
-    "format": "base64",
-    "hash": "iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8="
+    "format": "base16",
+    "hash": "894517c9163c896ec31a2adbd33c0681fd5f45b2c0ef08a64c92a03fb97f390f"
   },
   "method": "nar"
 }