Scroll to navigation

nix3-store-verify(1) General Commands Manual nix3-store-verify(1)

Warning
This program is experimental and its interface is subject to change.

Name

nix store verify - verify the integrity of store paths

Synopsis

nix store verify [option…] installables

Examples

Verify the entire Nix store:

# nix store verify --all
Check whether each path in the closure of Firefox has at least 2 signatures:

# nix store verify --recursive --sigs-needed 2 --no-contents $(type -p firefox)
Verify a store path in the binary cache https://cache.nixos.org/:

# nix store verify --store https://cache.nixos.org/ \


  /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10

Description

This command verifies the integrity of the store paths installables, or, if --all is given, the entire Nix store. For each path, it checks that

  • its contents match the NAR hash recorded in the Nix database; and
  • it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally (“ultimately trusted”).

Exit status

The exit status of this command is the sum of the following values:

  • 1 if any path is corrupted (i.e. its contents don’t match the recorded NAR hash).
  • 2 if any path is untrusted.
  • 4 if any path couldn’t be verified for any other reason (such as an I/O error).

Options

--no-contents
Do not verify the contents of each store path.
--no-trust
Do not verify whether each store path is trusted.
--sigs-needed / -n n
Require that each path is signed by at least n different keys.
--stdin
Read installables from the standard input. No default installable applied.
--substituter / -s store-uri
Use signatures from the specified store.

Common evaluation options

--arg name expr
Pass the value expr as the argument name to Nix functions.
--arg-from-file name path
Pass the contents of file path as the argument name to Nix functions.
--arg-from-stdin name
Pass the contents of stdin as the argument name to Nix functions.
--argstr name string
Pass the string string as the argument name to Nix functions.
--debugger
Start an interactive environment if evaluation fails.
--eval-store store-url
The URL of the Nix store to use for evaluation, i.e. to store derivations (.drv files) and inputs referenced by them.
--impure
Allow access to mutable paths and repositories.
--include / -I path
Add path to search path entries used to resolve lookup paths
This option may be given multiple times.
Paths added through -I take precedence over the nix-path configuration setting and the NIX_PATH environment variable.
--override-flake original-ref resolved-ref
Override the flake registries, redirecting original-ref to resolved-ref.
--commit-lock-file
Commit changes to the flake’s lock file.
--inputs-from flake-url
Use the inputs of the specified flake as registry entries.
--no-registries
Don’t allow lookups in the flake registries.
DEPRECATED
Use --no-use-registries instead.
--no-update-lock-file
Do not allow any updates to the flake’s lock file.
--no-write-lock-file
Do not write the flake’s newly generated lock file.
--output-lock-file flake-lock-path
Write the given lock file instead of flake.lock within the top-level flake.
--override-input input-path flake-url
Override a specific flake input (e.g. dwarffs/nixpkgs). This implies --no-write-lock-file.
--recreate-lock-file
Recreate the flake’s lock file from scratch.
DEPRECATED
Use nix flake update instead.
--reference-lock-file flake-lock-path
Read the given lock file instead of flake.lock within the top-level flake.
--update-input input-path
Update a specific flake input (ignoring its previous entry in the lock file).
DEPRECATED
Use nix flake update instead.
--debug
Set the logging verbosity level to ‘debug’.
--log-format format
Set the format of log output; one of raw, internal-json, bar or bar-with-logs.
--print-build-logs / -L
Print full build logs on standard error.
--quiet
Decrease the logging verbosity level.
--verbose / -v
Increase the logging verbosity level.

Miscellaneous global options

--help
Show usage information.
--offline
Disable substituters and consider all previously downloaded files up-to-date.
--option name value
Set the Nix configuration setting name to value (overriding nix.conf).
--refresh
Consider all previously downloaded files out-of-date.
--repair
During evaluation, rewrite missing or corrupted files in the Nix store. During building, rebuild missing or corrupted store paths.
--version
Show version information.

Options that change the interpretation of installables

--all
Apply the operation to every store path.
--derivation
Operate on the store derivation rather than its outputs.
--expr expr
Interpret installables as attribute paths relative to the Nix expression expr.
--file / -f file
Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input. Implies --impure.
--recursive / -r
Apply operation to closure of the specified paths.

Note

See man nix.conf for overriding configuration settings with command line flags.