nix3-store-verify(1) General Commands Manual nix3-store-verify(1)

Warning
This program is experimental and its interface is subject to change.

nix store verify - verify the integrity of store paths

nix store verify [option…] installables

Verify the entire Nix store:
# nix store verify --all
Check whether each path in the closure of Firefox has at least 2 signatures:
# nix store verify --recursive --sigs-needed 2 --no-contents $(type -p firefox)
Verify a store path in the binary cache https://cache.nixos.org/:
# nix store verify --store https://cache.nixos.org/ \
  /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10

This command verifies the integrity of the store paths installables, or, if --all is given, the entire Nix store. For each path, it checks that

  • its contents match the NAR hash recorded in the Nix database; and
  • it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally (“ultimately trusted”).

The exit status of this command is the sum of the following values:

  • 1 if any path is corrupted (i.e. its contents don’t match the recorded NAR hash).
  • 2 if any path is untrusted.
  • 4 if any path couldn’t be verified for any other reason (such as an I/O error).

--no-contents
Do not verify the contents of each store path.
--no-trust
Do not verify whether each store path is trusted.
--sigs-needed / -n n
Require that each path is signed by at least n different keys.
--stdin
Read installables from the standard input. No default installable applied.
--substituter / -s store-uri
Use signatures from the specified store.

--arg name expr
Pass the value expr as the argument name to Nix functions.
--arg-from-file name path
Pass the contents of file path as the argument name to Nix functions.
--arg-from-stdin name
Pass the contents of stdin as the argument name to Nix functions.
--argstr name string
Pass the string string as the argument name to Nix functions.
--debugger
Start an interactive environment if evaluation fails.
--eval-store store-url
The URL of the Nix store to use for evaluation, i.e. to store derivations (.drv files) and inputs referenced by them.
--impure
Allow access to mutable paths and repositories.
--include / -I path
Add path to the Nix search path. The Nix search path is initialized from the colon-separated NIX_PATH environment variable, and is used to look up the location of Nix expressions using paths enclosed in angle brackets (i.e., <nixpkgs>).
For instance, passing
-I /home/eelco/Dev
-I /etc/nixos
will cause Nix to look for paths relative to /home/eelco/Dev and /etc/nixos, in that order. This is equivalent to setting the NIX_PATH environment variable to
/home/eelco/Dev:/etc/nixos
It is also possible to match paths against a prefix. For example, passing
-I nixpkgs=/home/eelco/Dev/nixpkgs-branch
-I /etc/nixos
will cause Nix to search for <nixpkgs/path> in /home/eelco/Dev/nixpkgs-branch/path and /etc/nixos/nixpkgs/path.
If a path in the Nix search path starts with http:// or https://, it is interpreted as the URL of a tarball that will be downloaded and unpacked to a temporary location. The tarball must consist of a single top-level directory. For example, passing
-I nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz
tells Nix to download and use the current contents of the master branch in the nixpkgs repository.
The URLs of the tarballs from the official nixos.org channels (see the manual page for nix-channel) can be abbreviated as channel:<channel-name>. For instance, the following two flags are equivalent:
-I nixpkgs=channel:nixos-21.05
-I nixpkgs=https://nixos.org/channels/nixos-21.05/nixexprs.tar.xz
You can also fetch source trees using flake URLs and add them to the search path. For instance,
-I nixpkgs=flake:nixpkgs
specifies that the prefix nixpkgs shall refer to the source tree downloaded from the nixpkgs entry in the flake registry. Similarly,
-I nixpkgs=flake:github:NixOS/nixpkgs/nixos-22.05
makes <nixpkgs> refer to a particular branch of the NixOS/nixpkgs repository on GitHub.
--override-flake original-ref resolved-ref
Override the flake registries, redirecting original-ref to resolved-ref.
--commit-lock-file
Commit changes to the flake’s lock file.
--inputs-from flake-url
Use the inputs of the specified flake as registry entries.
--no-registries
Don’t allow lookups in the flake registries.
DEPRECATED
Use --no-use-registries instead.
--no-update-lock-file
Do not allow any updates to the flake’s lock file.
--no-write-lock-file
Do not write the flake’s newly generated lock file.
--output-lock-file flake-lock-path
Write the given lock file instead of flake.lock within the top-level flake.
--override-input input-path flake-url
Override a specific flake input (e.g. dwarffs/nixpkgs). This implies --no-write-lock-file.
--recreate-lock-file
Recreate the flake’s lock file from scratch.
DEPRECATED
Use nix flake update instead.
--reference-lock-file flake-lock-path
Read the given lock file instead of flake.lock within the top-level flake.
--update-input input-path
Update a specific flake input (ignoring its previous entry in the lock file).
DEPRECATED
Use nix flake update instead.
--debug
Set the logging verbosity level to ‘debug’.
--log-format format
Set the format of log output; one of raw, internal-json, bar or bar-with-logs.
--print-build-logs / -L
Print full build logs on standard error.
--quiet
Decrease the logging verbosity level.
--verbose / -v
Increase the logging verbosity level.

--help
Show usage information.
--offline
Disable substituters and consider all previously downloaded files up-to-date.
--option name value
Set the Nix configuration setting name to value (overriding nix.conf).
--refresh
Consider all previously downloaded files out-of-date.
--repair
During evaluation, rewrite missing or corrupted files in the Nix store. During building, rebuild missing or corrupted store paths.
--version
Show version information.

--all
Apply the operation to every store path.
--derivation
Operate on the store derivation rather than its outputs.
--expr expr
Interpret installables as attribute paths relative to the Nix expression expr.
--file / -f file
Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input. Implies --impure.
--recursive / -r
Apply operation to closure of the specified paths.

Note

See man nix.conf for overriding configuration settings with command line flags.