change hash algorithm compatible for fetchNextcloudApp

[onny]

No description provided.

[Scriptkiddi]

Hey isnt there a better way to calculate that hash instead of spawing seperate processes? And why is this a good idea?

[onny]

@Scriptkiddi I guess calculating hashes has changed since NixOS/nixpkgs#193075 and nc4nix probably didn't got updated yet.
Yeah it would be cool to calculate it with Go but not sure how to do it

[Scriptkiddi]

I think we should rework this to go code and then merge it

[onny]

I think we should rework this to go code and then merge it

Found a way to calculate the hash in Go without depending on external commands :)

[onny]

@Scriptkiddi @dasJ

[onny]

Thank you @leonklingele , fixed the issues 👍

[onny]

Oh missed that, thank you!

[onny]

@ajs124 @Mr-Pi

[onny]

Is there anything I can test or further add please let me know :)

[leonklingele]

@onny thanks! Code-wise this lgtm, what's the intention behind this change though? Does the current version (i.e. latest master) yields any different (incorrect?) hashes?

[onny]

yes the hash is now different, probably because fetchnextcloudapp requires a recursive hash, not of the single zip file like before, but of the zip content recursively https://github.com/NixOS/nixpkgs/blob/c5e62ec76a0198822c1cf017f83c1d4c9d1ceb60/pkgs/servers/nextcloud/packages/default.nix#L18

[leonklingele]

To me this change looks like it's switching to the new hash representation used by nix which additionally allows for different hashing algorithms (e.g. sha1, .. instead of sha256). i.e., it's not changing the hash, it's merely using a different encoding of it.

@Conni2461 @dasJ what do you think? nc4nix is more performant when not using this change, and instead leaving the hash-calculation to stdlib's sha256.Sum256.

[onny]

To me this change looks like it's switching to the new hash representation used by nix which additionally allows for different hashing algorithms (e.g. sha1, .. instead of sha256). i.e., it's not changing the hash, it's merely using a different encoding of it.

@Conni2461 @dasJ what do you think? nc4nix is more performant when not using this change, and instead leaving the hash-calculation to stdlib's sha256.Sum256.

sha256.Sum256 only hashes the zip file whereas this PR calculates the hash by unpacking the zip and calculating the hash recursively over all containing files, see:

$ nix-prefetch-url --unpack "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz"
06pprhlaaqdha2nmfdcf76mhh48hdr5jlv88snxji8lpflv50wr5
$ nix-prefetch-url  "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz"
0yl1agr62y87bil321ryrl0qwp9m0gksgwhvcqqlkxgwnjs98d7n

the unpacked hash is used in fetchNextcloudApp because this function also uses fetchzip with recursive hash calculation: https://github.com/NixOS/nixpkgs/blob/791355b27c5bfc58f7339a3dafc936ec50130e01/pkgs/build-support/fetchnextcloudapp/default.nix

I'm not sure if it's possible and recommended by upstream to use the single zip file hash to package nextcloud apps

[leonklingele]

sha256.Sum256 only hashes the zip file whereas this PR calculates the hash by unpacking the zip and calculating the hash recursively over all containing files

I'm not 100% fluent in Nix but I can't see a difference here from a integrity-preserving point of view. Let's see what my work mates have to say. I'll get back to you tomorrow! :)

[leonklingele]

Sorry, this slipped!

[leonklingele]

Just noticed that this directory should be removed after use here, and not further down below, i.e.

Suggested change

	dname, err := os.MkdirTemp("", "")
	if err != nil {
	return "", fmt.Errorf("failed to create temp dir: %w", err)
	}
	dname, err := os.MkdirTemp("", "")
	if err != nil {
	return "", fmt.Errorf("failed to create temp dir: %w", err)
	}
	defer func() {
	if err := os.RemoveAll(dname); err != nil {
	log.Printf("failed to clean up temp dir %q: %v", dname, err)
	}
	}()

[leonklingele]

Suggested change

defer os.RemoveAll(dname)

[leonklingele]

My work mates are busy this week, unfortunately. We‘ll get back to you asap!

[cheriimoya]

I checked the output and somehow, there are some empty values. If I run rg '"sha256": ""' *.json but I just noticed, it also happens with the current implementation. Maybe those should be handled/debugged in a separate Issue.

Otherwise, the PR looks good to me and can be merged.

[onny]

thank you so much for helping and merging this :)

[leonklingele]

Hey @onny :) Just fyi: We have updated this again with 3c35a0e — we now no longer extract the zip archive due to bug with some of the Nextcloud apps which yielded an incorrect hash. We however still use an SRI hash.

[dotlambda]

We have updated this again with 3c35a0e — we now no longer extract the zip archive due to bug with some of the Nextcloud apps which yielded an incorrect hash.

Does that not create problems regarding reproducability as outlined in NixOS/nixpkgs#193075?
I guess not because afaict no Nextcloud app is downloaded as a source code archive (github.com/*/*/archive/...) but as a release tarball (github.com/*/*/releases/download/...) instead.
cc @Ma27