diff --git a/contrib/hash/go.mod b/contrib/hash/go.mod
new file mode 100644
index 0000000000000000000000000000000000000000..ec61edd35d2eee7b3e2509730e510290712f9cd9
--- /dev/null
+++ b/contrib/hash/go.mod
@@ -0,0 +1,3 @@
+module h.a/sh
+
+go 1.20

diff --git a/contrib/hash/main.go b/contrib/hash/main.go
new file mode 100644
index 0000000000000000000000000000000000000000..aed2068e2a107f7c95b1f86291527aa6dfa89153
--- /dev/null
+++ b/contrib/hash/main.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"regexp"
+)
+
+var (
+	versionRe      = regexp.MustCompile(`version = "[^"]+"`)
+	sha256Re       = regexp.MustCompile(`sha256 = (?:"[^"]+"|lib.fakeSha256)`)
+	vendorSha256Re = regexp.MustCompile(`vendorSha256 = (?:"[^"]+"|lib.fakeSha256)`)
+	gotRe          = regexp.MustCompile(`got:\s+(.+)`)
+)
+
+func main() {
+	if err := mainErr(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+	}
+}
+
+func mainErr() error {
+	if len(os.Args) < 3 {
+		return errors.New("hash <pkg> <version>")
+	}
+
+	pkg, version := os.Args[1], os.Args[2]
+	pkgFile := fmt.Sprintf("pkgs/%s/default.nix", pkg)
+
+	content, err := os.ReadFile(pkgFile)
+	if err != nil {
+		return err
+	}
+
+	// Set version and reset hashes
+	content = versionRe.ReplaceAll(content, []byte(fmt.Sprintf(`version = "%s"`, version)))
+	content = sha256Re.ReplaceAll(content, []byte("sha256 = lib.fakeSha256"))
+	content = vendorSha256Re.ReplaceAll(content, []byte("vendorSha256 = lib.fakeSha256"))
+	if err := os.WriteFile(pkgFile, content, os.ModePerm); err != nil {
+		return err
+	}
+
+	// Get sha256
+	out, _ := run(pkg)
+	match := gotRe.FindSubmatch(out)
+	if match == nil {
+		return errors.New("could not find expected sha256")
+	}
+	sha256 := match[1]
+	sha256Repl := fmt.Sprintf(`sha256 = "%s"`, sha256)
+	fmt.Printf("\n\n-----\n%s\n-----\n\n", sha256Repl)
+	content = sha256Re.ReplaceAll(content, []byte(sha256Repl))
+	if err := os.WriteFile(pkgFile, content, os.ModePerm); err != nil {
+		return err
+	}
+
+	// Get vendorSha256
+	out, _ = run(pkg)
+	match = gotRe.FindSubmatch(out)
+	if match == nil {
+		return errors.New("could not find expected vendorSha256")
+	}
+	vendorSha256 := match[1]
+	vendorSha256Repl := fmt.Sprintf(`vendorSha256 = "%s"`, vendorSha256)
+	fmt.Printf("\n\n-----\n%s\n-----\n\n", vendorSha256Repl)
+	content = vendorSha256Re.ReplaceAll(content, []byte(vendorSha256Repl))
+	if err := os.WriteFile(pkgFile, content, os.ModePerm); err != nil {
+		return err
+	}
+
+	// Make sure it builds
+	_, err = run(pkg)
+	return err
+}
+
+func run(pkg string) ([]byte, error) {
+	var buf bytes.Buffer
+	w := io.MultiWriter(&buf, os.Stdout)
+	cmd := exec.Command("nix-build", "-E", fmt.Sprintf("with import <nixpkgs> { }; callPackage ./pkgs/%s { }", pkg))
+	cmd.Stdout = w
+	cmd.Stderr = w
+	err := cmd.Run()
+	return buf.Bytes(), err
+}

diff --git a/justfile b/justfile
index 25cb4f596c804416baa85b8aa5f44e89b1ae1692..315cccb60419ee38ceb96456be514aea3b3c2c8a 100644
--- a/justfile
+++ b/justfile
@@ -1,5 +1,12 @@
+[private]
+default:
+	@just --list
+
 build package:
 	@nix-build -E 'with import <nixpkgs> { }; callPackage ./pkgs/{{package}} { }'
 
-update:
+update-flake:
 	@nix flake update
+
+update-package package version:
+	@go run contrib/hash/main.go {{package}} {{version}}