Warning: This program is experimental and its interface is subject to change.
Name
nix store verify
- verify the integrity of store paths
Synopsis
nix store verify
[option...] installables...
Examples
-
Verify the entire Nix store:
# nix store verify --all
-
Check whether each path in the closure of Firefox has at least 2 signatures:
# nix store verify -r -n2 --no-contents $(type -p firefox)
-
Verify a store path in the binary cache
https://cache.nixos.org/
:# nix store verify --store https://cache.nixos.org/ \ /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
Description
This command verifies the integrity of the store paths installables,
or, if --all
is given, the entire Nix store. For each path, it
checks that
-
its contents match the NAR hash recorded in the Nix database; and
-
it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally ("ultimately trusted").
Exit status
The exit status of this command is the sum of the following values:
-
1 if any path is corrupted (i.e. its contents don't match the recorded NAR hash).
-
2 if any path is untrusted.
-
4 if any path couldn't be verified for any other reason (such as an I/O error).
Options
-
--no-contents
Do not verify the contents of each store path. -
--no-trust
Do not verify whether each store path is trusted. -
--sigs-needed
/-n
n
Require that each path has at least n valid signatures. -
--substituter
/-s
store-uri
Use signatures from the specified store.
Common evaluation options:
-
--arg
name expr
Pass the value expr as the argument name to Nix functions. -
--argstr
name string
Pass the string string as the argument name to Nix functions. -
--eval-store
store-url
The Nix store to use for evaluations. -
--impure
Allow access to mutable paths and repositories. -
--include
/-I
path
Add path to the list of locations used to look up<...>
file names. -
--override-flake
original-ref resolved-ref
Override the flake registries, redirecting original-ref to resolved-ref.
Common flake-related options:
-
--commit-lock-file
Commit changes to the flake's lock file. -
--inputs-from
flake-url
Use the inputs of the specified flake as registry entries. -
--no-registries
Don't allow lookups in the flake registries. This option is deprecated; use--no-use-registries
. -
--no-update-lock-file
Do not allow any updates to the flake's lock file. -
--no-write-lock-file
Do not write the flake's newly generated lock file. -
--override-input
input-path flake-url
Override a specific flake input (e.g.dwarffs/nixpkgs
). This implies--no-write-lock-file
. -
--recreate-lock-file
Recreate the flake's lock file from scratch. -
--update-input
input-path
Update a specific flake input (ignoring its previous entry in the lock file).
Options that change the interpretation of installables:
-
--all
Apply the operation to every store path. -
--derivation
Operate on the store derivation rather than its outputs. -
--expr
expr
Interpret installables as attribute paths relative to the Nix expression expr. -
--file
/-f
file
Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input. -
--recursive
/-r
Apply operation to closure of the specified paths.