Invalid Fingerprint

mperillo · April 20, 2026, 9:26am

Today I started a new project, but I got an invalid fingerprint:

zig build test
/home/manlio/src/zig/src/codeberg.org/manliop/build.zig.zon:1:2: error: invalid fingerprint: 0x163159c8b695f8c6; if this is a new or forked package, use this value: 0x7ec30896471f0bb7
.{

Why zig used a different value?

Thanks

vulpesx · April 20, 2026, 9:55am

Part of the fingerprint is a checksum of the package name, so if the name changes it invalidates the fingerprint.

The rest of the fingerprint is random.

When a fingerprint is invalid, or missing; zig provides a new, valid, fingerprint you could use.

It is very important that when you make forks you update the fingerprint, even if the name is the same. If you don’t do that then you would be impersonating the original.

mperillo · April 20, 2026, 10:06am

@vulpesx, thanks.

I indeed changed the module name.

vulpesx · April 20, 2026, 10:07am

package name.

Modules are just one thing a package can export.

arisumar25 · May 20, 2026, 11:37pm

I want to jump in into this topic as I keep getting invalid fingerprint on my new project. Whenever I use the fingerprint that zig provide from the error, I keep getting invalid fingerprint and zig decide to give a different fingerprint. Is there something that I miss?

arisumar25 · May 20, 2026, 11:39pm

Oh never mind. It turns out the invalid fingerprint coming from the dependency package that I just changed its name without updating the fingerprint. However, the error is very misleading that I thought the generated fingerprint is for the new project not the dependency package

vulpesx · May 21, 2026, 1:52am

Was it misleading? Or are you just not familiar enough with zig errors to quickly spot the source of it?

Because zig will tell you exactly where the issue is and, in zig code, how it got there.

arisumar25 · May 21, 2026, 1:56am

Ah you are right. I just reproduce the error and did not notice that it tells which dependency causing the error. I missed the hint because the dependency and new project name have quite similar naming. Thanks for pointing that out!

Kass · May 21, 2026, 6:49pm

This thread led me down a rabbit hole. Has anyone tried to claim a cute vanity fingerprint for their project yet? CRC32 is quite a choice.

https://codeberg.org/ziglang/zig/src/commit/0d4f3cc675b71dd3729c7aebab5c47b405922cee/src/Package.zig#L9-L30

castholm · May 21, 2026, 9:45pm

I (ab)use it for my packages Not the raw fingerprint itself, but its base64url-encoded form as a component of the package hash:

sdl-0.5.0+3.4.8-SDL--k4DpgH323IfF6cEaGzKUdtUQv1azbBmmcv0RMAu.tar.gz
sdl_linux_deps-0.0.0-SDL_ltg8hgAOayMwFN6BhHW3Rs5UPtf6n8m-2qcQHuGS.tar.gz
zigglgen-0.5.0-ziggltzDLwA0Gk0Pj6QMij1j6Z_jkvGEtGKBM6-YlI_s.tar.gz

More details in this thread:

Cloudef · May 22, 2026, 4:24am

I used this in zig-aio https://github.com/Cloudef/zig-aio/blob/master/build.zig.zon#L4C5-L4C39