Warning: This program is experimental and its interface is subject to change.
nix store verify - verify the integrity of store paths
nix store verify [option...] installables...
Verify the entire Nix store:
# nix store verify --all
Check whether each path in the closure of Firefox has at least 2 signatures:
# nix store verify -r -n2 --no-contents $(type -p firefox)
Verify a store path in the binary cache
# nix store verify --store https://cache.nixos.org/ \ /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
This command verifies the integrity of the store paths installables,
--all is given, the entire Nix store. For each path, it
its contents match the NAR hash recorded in the Nix database; and
it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally ("ultimately trusted").
The exit status of this command is the sum of the following values:
1 if any path is corrupted (i.e. its contents don't match the recorded NAR hash).
2 if any path is untrusted.
4 if any path couldn't be verified for any other reason (such as an I/O error).
Do not verify the contents of each store path.
Do not verify whether each store path is trusted.
Require that each path has at least n valid signatures.
Use signatures from the specified store.
Common evaluation options:
Pass the value expr as the argument name to Nix functions.
Pass the string string as the argument name to Nix functions.
The Nix store to use for evaluations.
Allow access to mutable paths and repositories.
Add path to the list of locations used to look up
Override the flake registries, redirecting original-ref to resolved-ref.
Common flake-related options:
Commit changes to the flake's lock file.
Use the inputs of the specified flake as registry entries.
Don't allow lookups in the flake registries. This option is deprecated; use
Do not allow any updates to the flake's lock file.
Do not write the flake's newly generated lock file.
Override a specific flake input (e.g.
dwarffs/nixpkgs). This implies
Recreate the flake's lock file from scratch.
Update a specific flake input (ignoring its previous entry in the lock file).
Options that change the interpretation of installables:
Apply the operation to every store path.
Operate on the store derivation rather than its outputs.
Interpret installables as attribute paths relative to the Nix expression expr.
Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input.
Apply operation to closure of the specified paths.