CA hash mismatch fetching from a substituter populated by an old nix

[pwaller]

Edit: It appears this was caused by self-hash rewriting in #4282, so this may not have a solution other than dropping the cache or using old versions of nix to import things.

cc @thufschmitt @Ericson2314

Describe the bug

With CA derivations, a more recent version of nix cannot use a substituter populated by an older version of nix (specifically, 3ebe134 (2.17.0) onwards can't use caches from before that time).

Steps To Reproduce

With Nix 2.13:

1. nix store make-content-addressed nixpkgs#hello (produces CA store path as output)
2. nix copy --to file://$PWD/temporary-cache?compression=zstd <the path from the above>
3. nix store delete <the path from the above>.

With Nix 2.18:

• nix copy --from file://$PWD/temporary-cache <the path from above>

Expected behavior

This should copy the path from the store. A more recent version of nix should be able to use a cache populated by an older version of nix.

Currently it fails with, e.g.

error: ca hash mismatch importing path '/nix/store/pc8k87lh2hsi5f3bhdja1ijx252520dq-hello-2.12.1';
         specified: sha256:09zxrcr17l0j41xwkkwaf0awgarckym7lhhx971951fka8s3xsvn
         got:       sha256:13nh9jz92a6wfry0mslvcmgqbjibchi49px1pq8dgaqk6p8m5yk5

Ideally, nix 2.18 and onwards would receive a fix that enabled it to use substituters populated by older caches.

Additional context

The CA failure bisects to 3ebe134 (cc @thufschmitt). Commits before this commit can use caches populated by older versions of nix.

CA derivations are marked experimental. However, it sounds to me like breaking them was unintentional and this is not protected as a test. (Ed: speculation turned out to be wrong, it was intentional per #4282, though the consequences might want revisiting) Given that cache contents can be quite valuable, rendering old caches inaccessible to newer versions of nix can represent a big expense/inconvenience. This should at least be protected for the future.

From a user perspective, ideally nix would recognize hashes created by older versions of nix as valid, assuming there is no good reason to invalidate them. Additionally, Nix could provide a diagnosis that older versions of nix use different hashes.

In fact, it comes as a surprise that you can even have a CA-derivation cache hit, and an invalid CA hash. It seems that by construction it should be a cache miss.

Additionally, I understand from discussion in Matrix that it is surprising/unexpected that the hash changed, so it should be looked into whether what is being hashed is the correct content, or if something unexpected is happening to input to the hash. Since the CA hash is used for identity/signature security, it strikes me as important that it is correct; and it probably shouldn't have changed across nix versions.

Priorities

Add 👍 to issues you find important.

[infinisil]

It looks like this was intentional: #4282 (comment)

[pwaller]

Thanks @infinisil - I've changed the title and added a note at the top of the issue.

The question remains: is there anything that could/should be done about this, or is this a fact of life? If nothing else, the failure mode of being met with a hash mismatch is not ideal. ISTM it could be better to have a cache miss, or a warning about what's likely happening.

[Mindavi]

It'd be useful to have a short writeup of how to cleanup the CA store in general, I'd like to do that for my store so I can start with a clean slate 🙂