diff --git a/pkgs/applications/networking/cluster/cmctl/default.nix b/pkgs/applications/networking/cluster/cmctl/default.nix
index 3cef6be03c46..4a990caf3b50 100644
--- a/pkgs/applications/networking/cluster/cmctl/default.nix
+++ b/pkgs/applications/networking/cluster/cmctl/default.nix
@@ -7,8 +7,8 @@ buildGoModule rec {
   src = fetchFromGitHub {
     owner = "cert-manager";
     repo = "cert-manager";
-    rev = "v${version}";
-    hash = "sha256-Z1aJ18X4mfJPlCPBC7QgfdX5Tk4+PK8mYoJZhGwz9ec=";
+    rev = "4486c01f726f17d2790a8a563ae6bc6e98465505";
+    sha256 = "1rzm6dn88nc2c8kayg1y9r7gkmbx42s0ph93ji7z56gqqpbqjmk7";
   };
 
   vendorSha256 = "sha256-45+tZZAEHaLdTN1NQCueJVTx5x2IanwDl+Y9MELqdBE=";
@@ -19,6 +19,8 @@ buildGoModule rec {
     "-s" "-w"
     "-X github.com/cert-manager/cert-manager/cmd/ctl/pkg/build.name=cmctl"
     "-X github.com/cert-manager/cert-manager/cmd/ctl/pkg/build/commands.registerCompletion=true"
+    "-X github.com/cert-manager/cert-manager/pkg/util.AppVersion=v${version}"
+    "-X github.com/cert-manager/cert-manager/pkg/util.AppGitCommit=${src.rev}"
   ];
 
   nativeBuildInputs = [ installShellFiles ];
@@ -49,4 +51,3 @@ buildGoModule rec {
     maintainers = with maintainers; [ joshvanl superherointj ];
   };
 }
-
diff --git a/pkgs/applications/networking/cluster/cmctl/update.sh b/pkgs/applications/networking/cluster/cmctl/update.sh
new file mode 100755
index 000000000000..70b088a6880a
--- /dev/null
+++ b/pkgs/applications/networking/cluster/cmctl/update.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnugrep gnused jq
+
+set -x -eu -o pipefail
+
+NIXPKGS_PATH="$(git rev-parse --show-toplevel)"
+CMCTL_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
+
+OLD_VERSION="$(nix-instantiate --eval -E "with import $NIXPKGS_PATH {}; cmctl.version or (builtins.parseDrvName cmctl.name).version" | tr -d '"')"
+LATEST_TAG="$(curl -s ${GITHUB_TOKEN:+"-u \":$GITHUB_TOKEN\""} "https://api.github.com/repos/cert-manager/cert-manager/releases" | jq '.[].tag_name' --raw-output | sed '/-/d' | sort --version-sort -r | head -n 1)"
+LATEST_VERSION="${LATEST_TAG:1}"
+
+if [ ! "$OLD_VERSION" = "$LATEST_VERSION" ]; then
+    SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/cert-manager/cert-manager/archive/refs/tags/${LATEST_TAG}.tar.gz)
+    TAG_SHA=$(curl -s ${GITHUB_TOKEN:+"-u \":$GITHUB_TOKEN\""}  "https://api.github.com/repos/cert-manager/cert-manager/git/ref/tags/${LATEST_TAG}" | jq -r '.object.sha')
+    TAG_COMMIT_SHA=$(curl -s ${GITHUB_TOKEN:+"-u \":$GITHUB_TOKEN\""} "https://api.github.com/repos/cert-manager/cert-manager/git/tags/${TAG_SHA}" | jq '.object.sha' --raw-output)
+
+    setKV () {
+        sed -i "s|$1 = \".*\"|$1 = \"${2:-}\"|" "${CMCTL_PATH}/default.nix"
+    }
+
+    setKV version ${LATEST_VERSION}
+    setKV sha256 "${SHA256}"
+    setKV rev ${TAG_COMMIT_SHA}
+    setKV vendorSha256 "0000000000000000000000000000000000000000000000000000" # The same as lib.fakeSha256
+
+    set +e
+    VENDOR_SHA256=$(nix-build --no-out-link -A cmctl $NIXPKGS_PATH 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g')
+    set -e
+
+    if [ -n "${VENDOR_SHA256:-}" ]; then
+        setKV vendorSha256 ${VENDOR_SHA256}
+    else
+        echo "Update failed. VENDOR_SHA256 is empty."
+        exit 1
+    fi
+
+    echo "updated cmctl to $LATEST_VERSION, please commit changes."
+else
+    echo "cmctl is already up-to-date at $OLD_VERSION"
+fi