Name

nix store verify - verify the integrity of store paths

Synopsis

nix store verify [option...] installables...

Examples

• Verify the entire Nix store:

  # nix store verify --all
  

• Check whether each path in the closure of Firefox has at least 2 signatures:

  # nix store verify --recursive --sigs-needed 2 --no-contents $(type -p firefox)
  

• Verify a store path in the binary cache https://cache.nixos.org/:

  # nix store verify --store https://cache.nixos.org/ \
      /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
  

Description

This command verifies the integrity of the store paths installables, or, if --all is given, the entire Nix store. For each path, it checks that

• its contents match the NAR hash recorded in the Nix database; and

• it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally ("ultimately trusted").

Exit status

The exit status of this command is the sum of the following values:

• 1 if any path is corrupted (i.e. its contents don't match the recorded NAR hash).

• 2 if any path is untrusted.

• 4 if any path couldn't be verified for any other reason (such as an I/O error).

Options

• --no-contents

  Do not verify the contents of each store path.

• --no-trust

  Do not verify whether each store path is trusted.

• --sigs-needed / -n n

  Require that each path is signed by at least n different keys.

• --stdin

  Read installables from the standard input. No default installable applied.

• --substituter / -s store-uri

  Use signatures from the specified store.

Common evaluation options

• --arg name expr

  Pass the value expr as the argument name to Nix functions.

• --arg-from-file name path

  Pass the contents of file path as the argument name to Nix functions.

• --arg-from-stdin name

  Pass the contents of stdin as the argument name to Nix functions.

• --argstr name string

  Pass the string string as the argument name to Nix functions.

• --debugger

  Start an interactive environment if evaluation fails.

• --eval-store store-url

  The URL of the Nix store to use for evaluation, i.e. to store derivations (.drv files) and inputs referenced by them.

• --impure

  Allow access to mutable paths and repositories.

• --include / -I path

  Add path to search path entries used to resolve lookup paths

  This option may be given multiple times.

  Paths added through -I take precedence over the nix-path configuration setting and the NIX_PATH environment variable.

• --override-flake original-ref resolved-ref

  Override the flake registries, redirecting original-ref to resolved-ref.

Common flake-related options

• --commit-lock-file

  Commit changes to the flake's lock file.

• --inputs-from flake-url

  Use the inputs of the specified flake as registry entries.

• --no-registries

  Don't allow lookups in the flake registries.

  DEPRECATED

  Use --no-use-registries instead.

• --no-update-lock-file

  Do not allow any updates to the flake's lock file.

• --no-write-lock-file

  Do not write the flake's newly generated lock file.

• --output-lock-file flake-lock-path

  Write the given lock file instead of flake.lock within the top-level flake.

• --override-input input-path flake-url

  Override a specific flake input (e.g. dwarffs/nixpkgs). This implies --no-write-lock-file.

• --recreate-lock-file

  Recreate the flake's lock file from scratch.

  DEPRECATED

  Use nix flake update instead.

• --reference-lock-file flake-lock-path

  Read the given lock file instead of flake.lock within the top-level flake.

• --update-input input-path

  Update a specific flake input (ignoring its previous entry in the lock file).

  DEPRECATED

  Use nix flake update instead.

Logging-related options

• --debug

  Set the logging verbosity level to 'debug'.

• --log-format format

  Set the format of log output; one of raw, internal-json, bar or bar-with-logs.

• --print-build-logs / -L

  Print full build logs on standard error.

• --quiet

  Decrease the logging verbosity level.

• --verbose / -v

  Increase the logging verbosity level.

Miscellaneous global options

• --help

  Show usage information.

• --offline

  Disable substituters and consider all previously downloaded files up-to-date.

• --option name value

  Set the Nix configuration setting name to value (overriding nix.conf).

• --refresh

  Consider all previously downloaded files out-of-date.

• --repair

  During evaluation, rewrite missing or corrupted files in the Nix store. During building, rebuild missing or corrupted store paths.

• --version

  Show version information.

Options that change the interpretation of installables

• --all

  Apply the operation to every store path.

• --derivation

  Operate on the store derivation rather than its outputs.

• --expr expr

  Interpret installables as attribute paths relative to the Nix expression expr.

• --file / -f file

  Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression is read from standard input. Implies --impure.

• --recursive / -r

  Apply operation to closure of the specified paths.

Note

See man nix.conf for overriding configuration settings with command line flags.