diff --git a/pkgs/build-support/rust/default.nix b/pkgs/build-support/rust/default.nix
index 8e47a2b0bf2..9e8e32035d0 100644
--- a/pkgs/build-support/rust/default.nix
+++ b/pkgs/build-support/rust/default.nix
@@ -15,7 +15,13 @@
 }:
 
 { name ? "${args.pname}-${args.version}"
-, cargoSha256 ? "unset"
+
+  # SRI hash
+, cargoHash ? ""
+
+  # Legacy hash
+, cargoSha256 ? ""
+
 , src ? null
 , srcs ? null
 , unpackPhase ? null
@@ -46,7 +52,7 @@
 , buildAndTestSubdir ? null
 , ... } @ args:
 
-assert cargoVendorDir == null -> cargoSha256 != "unset";
+assert cargoVendorDir == null -> !(cargoSha256 == "" && cargoHash == "");
 assert buildType == "release" || buildType == "debug";
 
 let
@@ -54,6 +60,7 @@ let
   cargoDeps = if cargoVendorDir == null
     then fetchCargoTarball ({
         inherit name src srcs sourceRoot unpackPhase cargoUpdateHook;
+        hash = cargoHash;
         patches = cargoPatches;
         sha256 = cargoSha256;
       } // depsExtraArgs)
@@ -61,7 +68,7 @@ let
 
   # If we have a cargoSha256 fixed-output derivation, validate it at build time
   # against the src fixed-output derivation to check consistency.
-  validateCargoDeps = cargoSha256 != "unset";
+  validateCargoDeps = !(cargoHash == "" && cargoSha256 == "");
 
   # Some cargo builds include build hooks that modify their own vendor
   # dependencies. This copies the vendor directory into the build tree and makes
diff --git a/pkgs/build-support/rust/fetchCargoTarball.nix b/pkgs/build-support/rust/fetchCargoTarball.nix
index dff5d99da9e..0726e5cfa5a 100644
--- a/pkgs/build-support/rust/fetchCargoTarball.nix
+++ b/pkgs/build-support/rust/fetchCargoTarball.nix
@@ -22,11 +22,17 @@ in
 , srcs ? []
 , patches ? []
 , sourceRoot
-, sha256
+, hash ? ""
+, sha256 ? ""
 , cargoUpdateHook ? ""
 , ...
 } @ args:
-stdenv.mkDerivation ({
+
+let hash_ =
+  if hash != "" then { outputHashAlgo = null; outputHash = hash; }
+  else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
+  else throw "fetchCargoTarball requires a hash for ${name}";
+in stdenv.mkDerivation ({
   name = "${name}-vendor.tar.gz";
   nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ];
 
@@ -40,7 +46,7 @@ stdenv.mkDerivation ({
         echo
         echo "ERROR: The Cargo.lock file doesn't exist"
         echo
-        echo "Cargo.lock is needed to make sure that cargoSha256 doesn't change"
+        echo "Cargo.lock is needed to make sure that cargoHash/cargoSha256 doesn't change"
         echo "when the registry is updated."
         echo
 
@@ -72,8 +78,7 @@ stdenv.mkDerivation ({
         -czf $out $name
   '';
 
-  outputHashAlgo = "sha256";
-  outputHash = sha256;
+  inherit (hash_) outputHashAlgo outputHash;
 
   impureEnvVars = stdenv.lib.fetchers.proxyImpureEnvVars;
 } // (builtins.removeAttrs args [
diff --git a/pkgs/tools/misc/broot/default.nix b/pkgs/tools/misc/broot/default.nix
index 4e40a4a336d..e4561c38228 100644
--- a/pkgs/tools/misc/broot/default.nix
+++ b/pkgs/tools/misc/broot/default.nix
@@ -18,7 +18,7 @@ rustPlatform.buildRustPackage rec {
     sha256 = "04nidx43w4nnccgbrw30wg9ai8p7hbklxpn1gc6gr2325yhqvwhl";
   };
 
-  cargoSha256 = "1bzq0dsdnmxniwnb6989wlhih28c4lyd11sci821whs11lhlfpz0";
+  cargoHash = "sha256-4F9HIQ1BQx4EikyH0DwlDAkYIeUJJbMsj7ZX23QD+K8=";
 
   nativeBuildInputs = [
     makeWrapper