Warning
This program is experimental and its interface is subject to change.
Name
nix store verify - verify the integrity of store paths
Synopsis
nix store verify [option...] installables...
Examples
-
Verify the entire Nix store:
# nix store verify --all -
Check whether each path in the closure of Firefox has at least 2 signatures:
# nix store verify --recursive --sigs-needed 2 --no-contents $(type -p firefox) -
Verify a store path in the binary cache
https://cache.nixos.org/:# nix store verify --store https://cache.nixos.org/ \ /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
Description
This command verifies the integrity of the store paths installables,
or, if --all is given, the entire Nix store. For each path, it
checks that
-
its contents match the NAR hash recorded in the Nix database; and
-
it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally ("ultimately trusted").
Exit status
The exit status of this command is the sum of the following values:
-
1 if any path is corrupted (i.e. its contents don't match the recorded NAR hash).
-
2 if any path is untrusted.
-
4 if any path couldn't be verified for any other reason (such as an I/O error).
Options
-
--no-contentsDo not verify the contents of each store path. -
--no-trustDo not verify whether each store path is trusted. -
--sigs-needed/-nn Require that each path is signed by at least n different keys. -
--stdinRead installables from the standard input. No default installable applied. -
--substituter/-sstore-uri Use signatures from the specified store.
Common evaluation options:
-
--argname expr Pass the value expr as the argument name to Nix functions. -
--argstrname string Pass the string string as the argument name to Nix functions. -
--debuggerStart an interactive environment if evaluation fails. -
--eval-storestore-url The URL of the Nix store to use for evaluation, i.e. to store derivations (.drvfiles) and inputs referenced by them. -
--impureAllow access to mutable paths and repositories. -
--include/-Ipath Add path to the Nix search path. The Nix search path is initialized from the colon-separatedNIX_PATHenvironment variable, and is used to look up the location of Nix expressions using paths enclosed in angle brackets (i.e.,<nixpkgs>).For instance, passing
-I /home/eelco/Dev -I /etc/nixoswill cause Lix to look for paths relative to
/home/eelco/Devand/etc/nixos, in that order. This is equivalent to setting theNIX_PATHenvironment variable to/home/eelco/Dev:/etc/nixosIt is also possible to match paths against a prefix. For example, passing
-I nixpkgs=/home/eelco/Dev/nixpkgs-branch -I /etc/nixoswill cause Lix to search for
<nixpkgs/path>in/home/eelco/Dev/nixpkgs-branch/pathand/etc/nixos/nixpkgs/path.If a path in the Nix search path starts with
http://orhttps://, it is interpreted as the URL of a tarball that will be downloaded and unpacked to a temporary location. The tarball must consist of a single top-level directory. For example, passing-I nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gztells Lix to download and use the current contents of the
masterbranch in thenixpkgsrepository.The URLs of the tarballs from the official
nixos.orgchannels (see the manual page fornix-channel) can be abbreviated aschannel:<channel-name>. For instance, the following two flags are equivalent:-I nixpkgs=channel:nixos-21.05 -I nixpkgs=https://nixos.org/channels/nixos-21.05/nixexprs.tar.xzYou can also fetch source trees using flake URLs and add them to the search path. For instance,
-I nixpkgs=flake:nixpkgsspecifies that the prefix
nixpkgsshall refer to the source tree downloaded from thenixpkgsentry in the flake registry. Similarly,-I nixpkgs=flake:github:NixOS/nixpkgs/nixos-22.05makes
<nixpkgs>refer to a particular branch of theNixOS/nixpkgsrepository on GitHub. -
--override-flakeoriginal-ref resolved-ref Override the flake registries, redirecting original-ref to resolved-ref.
Common flake-related options:
-
--commit-lock-fileCommit changes to the flake's lock file. -
--inputs-fromflake-url Use the inputs of the specified flake as registry entries. -
--no-registriesDon't allow lookups in the flake registries. This option is deprecated; use--no-use-registries. -
--no-update-lock-fileDo not allow any updates to the flake's lock file. -
--no-write-lock-fileDo not write the flake's newly generated lock file. -
--output-lock-fileflake-lock-path Write the given lock file instead offlake.lockwithin the top-level flake. -
--override-inputinput-path flake-url Override a specific flake input (e.g.dwarffs/nixpkgs). This implies--no-write-lock-file. -
--reference-lock-fileflake-lock-path Read the given lock file instead offlake.lockwithin the top-level flake.
Logging-related options:
-
--debugSet the logging verbosity level to 'debug'. -
--log-formatformat Set the format of log output; one ofraw,internal-json,bar,bar-with-logs,multilineormultiline-with-logs. -
--print-build-logs/-LPrint full build logs on standard error. -
--quietDecrease the logging verbosity level. -
--verbose/-vIncrease the logging verbosity level.
Miscellaneous global options:
-
--helpShow usage information. -
--offlineDisable substituters and consider all previously downloaded files up-to-date. -
--optionname value Set the Lix configuration setting name to value (overridingnix.conf). -
--refreshConsider all previously downloaded files out-of-date. -
--repairDuring evaluation, rewrite missing or corrupted files in the Nix store. During building, rebuild missing or corrupted store paths. -
--versionShow version information.
Options that change the interpretation of installables:
-
--allApply the operation to every store path. -
--derivationOperate on the store derivation rather than its outputs. -
--expr/-Eexpr Interpret installables as attribute paths relative to the Nix expression expr. -
--file/-ffile Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input. Implies--impure. -
--recursive/-rApply operation to closure of the specified paths.
Note
See
man nix.conffor overriding configuration settings with command line flags.