fetchFromGitHub not validating hashes

[KevinGimbel]

Describe the bug

A clear and concise description of what the bug is.

Steps To Reproduce

1. Save the following as shell.nix

let
    pkgs = import <nixpkgs> {};

    mktoc = pkgs.fetchFromGitHub {
        owner   = "KevinGimbel";
        repo    = "mktoc";
        rev     = "v4.0.0";
        hash    = "sha256-XNrn89Vv8R5r5hmDhGZVcYcUdY3Zw/+Ss/x7YfEtX2A=";
    };

    installed_pkgs = [
      mktoc
    ];
in


pkgs.mkShellNoCC {
  packages = installed_pkgs;
  # executed on start
  shellHook = ''
    mktoc --version
  '';
}

2. Run nix-shell -v shell.nix

Now with the wrong hash, I'd expect nix to not install the tool and notify me about the hash mismatch. But it doesn't.

If I remove the hash it works:

warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
[...]
  specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-Pq4o0t0cUrkXff+qSU5mlDo5A0nhFBuFk3Xz10AWDeo=

Expected behavior

nix should not install anything if the hash doesn't match.

sha256-XNrn89Vv8R5r5hmDhGZVcYcUdY3Zw/+Ss/x7YfEtX2A= isn't the hash of this repo, it's the hash from kubectl v0.30.1 and has nothing to do with mktoc (the tool I try to install).

nix-env --version output
nix-env (Nix) 2.22.1

Additional context

OS: macOS

Priorities

Add 👍 to issues you find important.

[szlend]

This is unfortunate, but working as intended. Fixed output derivations don't care about any inputs. They will pick anything that matches the hash from the nix store.

[SuperSandro2000]

fetchFromGitHub is in nixpkgs and as already said this is an intended feature. Please close.

[roberth]

Duplicate, but a relevant discussion is in

• Bypass store object reuse when FODs change source description #7999