tvix: SRI hashes of non-standard length are not accepted

#252
Opened by qyliss at 2023-02-07T17·36+00

Nix accepts SRI hashes that are too short (as if padded by = characters), and hashes that are too long (which are truncated). Sometimes, these end up in Nixpkgs. Should tvix do the same?

  1. As an example, krb5 1.20 in nixpkgs (https://github.com/NixOS/nixpkgs/blob/7e49471316373c471a3bf4b78c130ebc907ae2d2/pkgs/development/libraries/kerberos/krb5.nix) had a

    sha256 = "sha256-fgIr3TyFGDAXP5+qoAaiMKDg/a1MlT6Fv/S/DaA24S8"
    

    This is missing a trailing = for the padding, and echo -n "fgIr3TyFGDAXP5+qoAaiMKDg/a1MlT6Fv/S/DaA24S8" | base64 -d fails to decode it.

    With the = added, it does succeed.

    flokli at 2023-02-08T08·47+00

  2. So it apparently only "works" in the SRI case.

    If I change the line to

    sha256 = "fgIr3TyFGDAXP5+qoAaiMKDg/a1MlT6Fv/S/DaA24S8"
    

    Nix 2.13.2 fails with the following error message:

    error: hash 'fgIr3TyFGDAXP5+qoAaiMKDg/a1MlT6Fv/S/DaA24S8' has wrong length for hash type 'sha256'

    Passing the broken hash in SRI form, either as sha256 = or hash = does work.

    I'll make sure to cover this in the test cases.

    flokli at 2023-02-08T09·24+00

  3. Support for NOPAD gets added in https://cl.tvl.fyi/8037, and there's also a comment stating why too long hashes are rejected currently.

    flokli at 2023-02-08T09·46+00

  4. tazjin closed this issue at 2023-03-02T19·50+00