diff --git a/doc/build-helpers/images/dockertools.section.md b/doc/build-helpers/images/dockertools.section.md
index 26c1d9c14a264..04d477bdc5066 100644
--- a/doc/build-helpers/images/dockertools.section.md
+++ b/doc/build-helpers/images/dockertools.section.md
@@ -881,7 +881,7 @@ dockerTools.pullImage {
   imageDigest = "sha256:b8ea88f763f33dfda2317b55eeda3b1a4006692ee29e60ee54ccf6d07348c598";
   finalImageName = "nix";
   finalImageTag = "2.19.3";
-  sha256 = "zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
+  hash = "sha256-zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
 }
 ```
 :::
@@ -898,7 +898,7 @@ dockerTools.pullImage {
   imageDigest = "sha256:24a23053f29266fb2731ebea27f915bb0fb2ae1ea87d42d890fe4e44f2e27c5d";
   finalImageName = "etcd";
   finalImageTag = "v3.5.11";
-  sha256 = "Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
+  hash = "sha256-Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
 }
 ```
 :::
@@ -922,7 +922,7 @@ Writing manifest to image destination
 {
   imageName = "nixos/nix";
   imageDigest = "sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634";
-  sha256 = "1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q";
+  hash = "sha256-OEgs3uRPMb4Y629FJXAWZW9q9LqHS/A/GUqr3K5wzOA=";
   finalImageName = "nixos/nix";
   finalImageTag = "latest";
 }
diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix
index 2925745c9e094..bd1bcea758e8f 100644
--- a/nixos/modules/services/cluster/k3s/default.nix
+++ b/nixos/modules/services/cluster/k3s/default.nix
@@ -372,7 +372,7 @@ in
           (pkgs.dockerTools.pullImage {
             imageName = "docker.io/bitnami/keycloak";
             imageDigest = "sha256:714dfadc66a8e3adea6609bda350345bd3711657b7ef3cf2e8015b526bac2d6b";
-            sha256 = "0imblp0kw9vkcr7sp962jmj20fpmb3hvd3hmf4cs4x04klnq3k90";
+            hash = "sha256-IM2BLZ0EdKIZcRWOtuFY9TogZJXCpKtPZnMnPsGlq0Y=";
             finalImageTag = "21.1.2-debian-11-r0";
           })
 
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix
index a838768b87d5b..bdff4a3e4be71 100644
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@@ -129,50 +129,53 @@ rec {
     let
       fixName = name: builtins.replaceStrings [ "/" ":" ] [ "-" "-" ] name;
     in
-    { imageName
-      # To find the digest of an image, you can use skopeo:
-      # see doc/functions.xml
-    , imageDigest
-    , sha256
-    , os ? "linux"
-    , # Image architecture, defaults to the architecture of the `hostPlatform` when unset
-      arch ? defaultArchitecture
-      # This is used to set name to the pulled image
-    , finalImageName ? imageName
-      # This used to set a tag to the pulled image
-    , finalImageTag ? "latest"
-      # This is used to disable TLS certificate verification, allowing access to http registries on (hopefully) trusted networks
-    , tlsVerify ? true
-
-    , name ? fixName "docker-image-${finalImageName}-${finalImageTag}.tar"
-    }:
+    lib.fetchers.withNormalizedHash { } (
+      { imageName
+        # To find the digest of an image, you can use skopeo:
+        # see doc/functions.xml
+      , imageDigest
+      , outputHash
+      , outputHashAlgo
+      , os ? "linux"
+      , # Image architecture, defaults to the architecture of the `hostPlatform` when unset
+        arch ? defaultArchitecture
+        # This is used to set name to the pulled image
+      , finalImageName ? imageName
+        # This used to set a tag to the pulled image
+      , finalImageTag ? "latest"
+        # This is used to disable TLS certificate verification, allowing access to http registries on (hopefully) trusted networks
+      , tlsVerify ? true
+
+      , name ? fixName "docker-image-${finalImageName}-${finalImageTag}.tar"
+      }:
+
+      runCommand name
+        {
+          inherit imageDigest;
+          imageName = finalImageName;
+          imageTag = finalImageTag;
+          impureEnvVars = lib.fetchers.proxyImpureEnvVars;
 
-    runCommand name
-      {
-        inherit imageDigest;
-        imageName = finalImageName;
-        imageTag = finalImageTag;
-        impureEnvVars = lib.fetchers.proxyImpureEnvVars;
-        outputHashMode = "flat";
-        outputHashAlgo = "sha256";
-        outputHash = sha256;
-
-        nativeBuildInputs = [ skopeo ];
-        SSL_CERT_FILE = "${cacert.out}/etc/ssl/certs/ca-bundle.crt";
-
-        sourceURL = "docker://${imageName}@${imageDigest}";
-        destNameTag = "${finalImageName}:${finalImageTag}";
-      } ''
-      skopeo \
-        --insecure-policy \
-        --tmpdir=$TMPDIR \
-        --override-os ${os} \
-        --override-arch ${arch} \
-        copy \
-        --src-tls-verify=${lib.boolToString tlsVerify} \
-        "$sourceURL" "docker-archive://$out:$destNameTag" \
-        | cat  # pipe through cat to force-disable progress bar
-    '';
+          inherit outputHash outputHashAlgo;
+          outputHashMode = "flat";
+
+          nativeBuildInputs = [ skopeo ];
+          SSL_CERT_FILE = "${cacert.out}/etc/ssl/certs/ca-bundle.crt";
+
+          sourceURL = "docker://${imageName}@${imageDigest}";
+          destNameTag = "${finalImageName}:${finalImageTag}";
+        } ''
+        skopeo \
+          --insecure-policy \
+          --tmpdir=$TMPDIR \
+          --override-os ${os} \
+          --override-arch ${arch} \
+          copy \
+          --src-tls-verify=${lib.boolToString tlsVerify} \
+          "$sourceURL" "docker-archive://$out:$destNameTag" \
+          | cat  # pipe through cat to force-disable progress bar
+      ''
+    );
 
   # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
   # And we cannot untar it, because then we cannot preserve permissions etc.
diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix
index af8be8d79f246..f6e09203b455b 100644
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@@ -115,7 +115,7 @@ rec {
   nixFromDockerHub = pullImage {
     imageName = "nixos/nix";
     imageDigest = "sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357";
-    sha256 = "19fw0n3wmddahzr20mhdqv6jkjn1kanh6n2mrr08ai53dr8ph5n7";
+    hash = "sha256-xxZ4UW6jRIVAzlVYA62awcopzcYNViDyh6q1yocF3KU=";
     finalImageTag = "2.2.1";
     finalImageName = "nix";
   };
@@ -124,7 +124,7 @@ rec {
   testNixFromDockerHub = pkgs.testers.invalidateFetcherByDrvHash pullImage {
     imageName = "nixos/nix";
     imageDigest = "sha256:85299d86263a3059cf19f419f9d286cc9f06d3c13146a8ebbb21b3437f598357";
-    sha256 = "19fw0n3wmddahzr20mhdqv6jkjn1kanh6n2mrr08ai53dr8ph5n7";
+    hash = "sha256-xxZ4UW6jRIVAzlVYA62awcopzcYNViDyh6q1yocF3KU=";
     finalImageTag = "2.2.1";
     finalImageName = "nix";
   };
diff --git a/pkgs/build-support/docker/nix-prefetch-docker b/pkgs/build-support/docker/nix-prefetch-docker
index f551d37cda96f..058c0be66ae45 100755
--- a/pkgs/build-support/docker/nix-prefetch-docker
+++ b/pkgs/build-support/docker/nix-prefetch-docker
@@ -133,7 +133,7 @@ else
 fi
 
 # Compute the hash.
-imageHash=$(nix-hash --flat --type $hashType --base32 "$tmpFile")
+imageHash=$(nix-hash --flat --type $hashType --sri "$tmpFile")
 
 # Add the downloaded file to Nix store.
 finalPath=$(nix-store --add-fixed "$hashType" "$tmpFile")
@@ -152,7 +152,7 @@ cat <<EOF
 {
   imageName = "$imageName";
   imageDigest = "$imageDigest";
-  sha256 = "$imageHash";
+  hash = "$imageHash";
   finalImageName = "$finalImageName";
   finalImageTag = "$finalImageTag";
 }
@@ -164,7 +164,7 @@ cat <<EOF
 {
   "imageName": "$imageName",
   "imageDigest": "$imageDigest",
-  "sha256": "$imageHash",
+  "hash": "$imageHash",
   "finalImageName": "$finalImageName",
   "finalImageTag": "$finalImageTag"
 }