Update application version in nix shell

[alexkolson]

Hey @adam-fallon, would you mind helping here? :)

I am happy to do it as well, but I am not sure how exactly the sha256 hash is being generated/what is being hashed. When I use openssl to generate a sha256 hash for the 1.1.0 jar it is nothing like the one in nix.shell. Any tips you could share?

Thank you!

[adam-fallon]

Sure thing here is the PR.

So for background, the reason you can't generate the hash from the zip file is, the hash used in the shell.nix is the hash of the contents of all the files when downloaded and extracted inside the nix-store. Sometimes this is referred to as the nix-hash.

So, for clarity - the sha256 is the hash of the output of the derivation in the nix-store of this file being downloaded and extracted NOT the hash of the file.

The reason for this is to for safety against collision attacks where someone generates two zips with different files, but the same hash - nix would catch this kind of attack, normal file hashing wouldn't. This is a difficult attack to pull off, but in the future it might not be so hard to pull off.

It's explained here;

There is a tool to compute the hash;

• https://www.mankier.com/1/nix-hash

Another thing you can do is use a built in util to fake the hash;

Which will generate the following error telling you the right hash;

And here is the hash for the 2.0.0 release.

sha256-FGYgBxmQ4MkP+gdPPMZP88XGBIexe5n+pe9epS5u6Y4=

Does that make sense? I avoided explaining this in the initial PR because its a bit of a quirk of nix, but the underlining point is - it's for security.

[adam-fallon]

Another link explaining the (very understandable!) confusion between what the hash is actually hashing can be found here; https://ryantm.github.io/nixpkgs/builders/fetchers/

[alexkolson]

Thank you a ton for the background information and the PR! Merged.