Warning
This program is experimental and its interface is subject to change.
Name
nix store verify
- verify the integrity of store paths
Synopsis
nix store verify
[option...] installables...
Examples
-
Verify the entire Nix store:
# nix store verify --all
-
Check whether each path in the closure of Firefox has at least 2 signatures:
# nix store verify --recursive --sigs-needed 2 --no-contents $(type -p firefox)
-
Verify a store path in the binary cache
https://cache.nixos.org/
:# nix store verify --store https://cache.nixos.org/ \ /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
Description
This command verifies the integrity of the store paths installables,
or, if --all
is given, the entire Nix store. For each path, it
checks that
-
its contents match the NAR hash recorded in the Nix database; and
-
it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally ("ultimately trusted").
Exit status
The exit status of this command is the sum of the following values:
-
1 if any path is corrupted (i.e. its contents don't match the recorded NAR hash).
-
2 if any path is untrusted.
-
4 if any path couldn't be verified for any other reason (such as an I/O error).
Options
-
--no-contents
Do not verify the contents of each store path. -
--no-trust
Do not verify whether each store path is trusted. -
--sigs-needed
/-n
n Require that each path is signed by at least n different keys. -
--stdin
Read installables from the standard input. No default installable applied. -
--substituter
/-s
store-uri Use signatures from the specified store.
Common evaluation options:
-
--arg
name expr Pass the value expr as the argument name to Nix functions. -
--argstr
name string Pass the string string as the argument name to Nix functions. -
--debugger
Start an interactive environment if evaluation fails. -
--eval-store
store-url The URL of the Nix store to use for evaluation, i.e. to store derivations (.drv
files) and inputs referenced by them. -
--impure
Allow access to mutable paths and repositories. -
--include
/-I
path Add path to the Nix search path. The Nix search path is initialized from the colon-separatedNIX_PATH
environment variable, and is used to look up the location of Nix expressions using paths enclosed in angle brackets (i.e.,<nixpkgs>
).For instance, passing
-I /home/eelco/Dev -I /etc/nixos
will cause Lix to look for paths relative to
/home/eelco/Dev
and/etc/nixos
, in that order. This is equivalent to setting theNIX_PATH
environment variable to/home/eelco/Dev:/etc/nixos
It is also possible to match paths against a prefix. For example, passing
-I nixpkgs=/home/eelco/Dev/nixpkgs-branch -I /etc/nixos
will cause Lix to search for
<nixpkgs/path>
in/home/eelco/Dev/nixpkgs-branch/path
and/etc/nixos/nixpkgs/path
.If a path in the Nix search path starts with
http://
orhttps://
, it is interpreted as the URL of a tarball that will be downloaded and unpacked to a temporary location. The tarball must consist of a single top-level directory. For example, passing-I nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz
tells Lix to download and use the current contents of the
master
branch in thenixpkgs
repository.The URLs of the tarballs from the official
nixos.org
channels (see the manual page fornix-channel
) can be abbreviated aschannel:<channel-name>
. For instance, the following two flags are equivalent:-I nixpkgs=channel:nixos-21.05 -I nixpkgs=https://nixos.org/channels/nixos-21.05/nixexprs.tar.xz
You can also fetch source trees using flake URLs and add them to the search path. For instance,
-I nixpkgs=flake:nixpkgs
specifies that the prefix
nixpkgs
shall refer to the source tree downloaded from thenixpkgs
entry in the flake registry. Similarly,-I nixpkgs=flake:github:NixOS/nixpkgs/nixos-22.05
makes
<nixpkgs>
refer to a particular branch of theNixOS/nixpkgs
repository on GitHub. -
--override-flake
original-ref resolved-ref Override the flake registries, redirecting original-ref to resolved-ref.
Common flake-related options:
-
--commit-lock-file
Commit changes to the flake's lock file. -
--inputs-from
flake-url Use the inputs of the specified flake as registry entries. -
--no-registries
Don't allow lookups in the flake registries. This option is deprecated; use--no-use-registries
. -
--no-update-lock-file
Do not allow any updates to the flake's lock file. -
--no-write-lock-file
Do not write the flake's newly generated lock file. -
--output-lock-file
flake-lock-path Write the given lock file instead offlake.lock
within the top-level flake. -
--override-input
input-path flake-url Override a specific flake input (e.g.dwarffs/nixpkgs
). This implies--no-write-lock-file
. -
--reference-lock-file
flake-lock-path Read the given lock file instead offlake.lock
within the top-level flake.
Logging-related options:
-
--debug
Set the logging verbosity level to 'debug'. -
--log-format
format Set the format of log output; one ofraw
,internal-json
,bar
,bar-with-logs
,multiline
ormultiline-with-logs
. -
--print-build-logs
/-L
Print full build logs on standard error. -
--quiet
Decrease the logging verbosity level. -
--verbose
/-v
Increase the logging verbosity level.
Miscellaneous global options:
-
--help
Show usage information. -
--offline
Disable substituters and consider all previously downloaded files up-to-date. -
--option
name value Set the Lix configuration setting name to value (overridingnix.conf
). -
--refresh
Consider all previously downloaded files out-of-date. -
--repair
During evaluation, rewrite missing or corrupted files in the Nix store. During building, rebuild missing or corrupted store paths. -
--version
Show version information.
Options that change the interpretation of installables:
-
--all
Apply the operation to every store path. -
--derivation
Operate on the store derivation rather than its outputs. -
--expr
/-E
expr Interpret installables as attribute paths relative to the Nix expression expr. -
--file
/-f
file Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input. Implies--impure
. -
--recursive
/-r
Apply operation to closure of the specified paths.
Note
See
man nix.conf
for overriding configuration settings with command line flags.