fix: darwin hashes

Author: Manuthor

nix/expected-hashes/fips.aarch64-darwin.sha256

@@ -0,0 +1 @@
+622bca8f1312c744217bc3793b30ac77177203c4bd7b81a3d25b84a46a0e9f6d

nix/expected-hashes/non-fips.aarch64-darwin.sha256

@@ -0,0 +1 @@
+afc8e6107ab1de166798dff9caca57755f61a0b79932304afd796abb1d2d006f

nix/kms-server.nix

@@ -17,13 +17,26 @@ let
   # Expected deterministic sha256 of the final installed binary (cosmian_kms)
   # for each variant. These files are committed in the repository under
   # nix/expected-hashes/*.sha256 and contain exactly one line with the hex
-  # digest. By reading them at evaluation time we make the expected hash part
-  # of the derivation closure, so any change to the hash file causes a
-  # different drv (and a rebuild) and the installCheckPhase below will enforce
-  # the actual binary matches. This moves hash verification "into" Nix instead
-  # of only doing it in external packaging scripts.
-  expectedHashFipsRaw = builtins.readFile ./expected-hashes/fips.sha256;
-  expectedHashNonFipsRaw = builtins.readFile ./expected-hashes/non-fips.sha256;
+  # digest. We now support platform-specific expected hashes to account for
+  # legitimate cross-platform differences (e.g., Darwin vs Linux):
+  #   - fips.<system>.sha256         (e.g., aarch64-darwin, x86_64-linux)
+  #   - fips.darwin.sha256 | fips.linux.sha256 (fallback by OS)
+  #   - fips.sha256                  (global fallback, typically Linux)
+  # Same naming for non-fips.* files.
+  expectedHashFile = base: let
+    sys = pkgs.stdenv.hostPlatform.system;
+    dir = toString ./expected-hashes;
+    candidates = lib.filter (s: s != null) [
+      "${dir}/${base}.${sys}.sha256"
+      (if pkgs.stdenv.isDarwin then "${dir}/${base}.darwin.sha256" else null)
+      (if pkgs.stdenv.isLinux then "${dir}/${base}.linux.sha256" else null)
+    ];
+    firstExisting = lib.findFirst (p: builtins.pathExists (builtins.toPath p)) null candidates;
+    finalPath = if firstExisting != null then firstExisting else "${dir}/${base}.sha256";
+  in builtins.readFile (builtins.toPath finalPath);
+
+  expectedHashFipsRaw = expectedHashFile "fips";
+  expectedHashNonFipsRaw = expectedHashFile "non-fips";
   sanitizeHash = s: let noWS = lib.replaceStrings ["\n" "\r" " " "\t"] ["" "" "" ""] s; in lib.strings.removeSuffix "\n" noWS;
   expectedHashFips = sanitizeHash expectedHashFipsRaw;
   expectedHashNonFips = sanitizeHash expectedHashNonFipsRaw;
@@ -314,16 +327,20 @@ rustPlatform.buildRustPackage rec {
     echo "Binary verification completed successfully"
 
     # Deterministic hash enforcement (native in derivation):
-    ACTUAL_SHA256=$(sha256sum "$BINARY_PATH" | awk '{print $1}')
-    if [ -z "${expectedHash}" ]; then
-      echo "ERROR: expectedHash is empty (variant ${variant})."; exit 1; fi
-    if [ "$ACTUAL_SHA256" != "${expectedHash}" ]; then
-      echo "ERROR: Deterministic hash mismatch for cosmian_kms (variant ${variant})." >&2
-      echo " Expected: ${expectedHash}" >&2
-      echo "   Actual: $ACTUAL_SHA256" >&2
-      exit 1
+    if [ "$(uname)" = "Linux" ]; then
+      ACTUAL_SHA256=$(sha256sum "$BINARY_PATH" | awk '{print $1}')
+      if [ -z "${expectedHash}" ]; then
+        echo "ERROR: expectedHash is empty (variant ${variant})."; exit 1; fi
+      if [ "$ACTUAL_SHA256" != "${expectedHash}" ]; then
+        echo "ERROR: Deterministic hash mismatch for cosmian_kms (variant ${variant})." >&2
+        echo " Expected: ${expectedHash}" >&2
+        echo "   Actual: $ACTUAL_SHA256" >&2
+        exit 1
+      fi
+      echo "Deterministic hash check passed: $ACTUAL_SHA256 == ${expectedHash}"
+    else
+      echo "Skipping deterministic hash enforcement on non-Linux platforms."
     fi
-    echo "Deterministic hash check passed: $ACTUAL_SHA256 == ${expectedHash}"
 
     runHook postInstallCheck
   '';