Nix supports a number of hash algorithms:

  • MD5 (deprecated)

  • SHA-1 (deprecated)

  • SHA-256 (default)

  • SHA-512

  • BLAKE3 (experimental)

BLAKE3 support requires Nix version 2.31+ & enabling the blake3-hashes experimental feature. This algorithm is very good with tree-like structures — like the file system, which is what Nix is often hashing. BLAKE3 offers faster hashing & is more secure which makes it a good choice for new setups that can afford to try it out. At the time of writing, Nix flakes does not & cannot support changing the hash algorithm away from SHA-256 for input pinning requiring an input pinner like Nixtamal to automate it.

How to use the BLAKE3 hash algorithm with Nix + Nixtamal

Let’s show the way using the WhisperFish repository’s latest commit, but you can use any input kind.

Using BLAKE3 on a single input 

// manifest.kdl
inputs {
	whisperfish {
		archive {
			url "https://gitlab.com/whisperfish/whisperfish/-/archive/{{fresh-value}}/whisperfish-{{fresh-value}}.tar.bz2"
		}
		hash algorithm=BLAKE3
	}
	fresh-cmd {
		$ git ls-remote --branches main "https://gitlab.com/whisperfish/whisperfish.git"
		| cut -f1
	}
}

Additionally, you can set BLAKE3 to be the default in the manifest file’s top level.

Project-wide default 

// manifest.kdl
version "1.0.0"
default-hash-algorithm BLAKE3