nix3-store-verify(1)
verify the integrity of store paths Cnix store verify [option] installables Verify the entire Nix store: # nix store ver
Description
nix3-store-verify
Warning: This program is experimental and its interface is subject to change.
Name
nix store verify - verify the integrity of store paths
Synopsis
nix store verify [option…] installables…
Examples
|
• |
Verify the entire Nix store: |
# nix store verify --all
|
• |
Check whether each path in the closure of Firefox has at least 2 signatures: |
# nix store verify -r -n2 --no-contents $(type -p firefox)
|
• |
Verify a store path in the binary cache https://cache.nixos.org/: |
# nix store
verify --store https://cache.nixos.org/ \
/nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
Description
This command verifies the integrity of the store paths installables, or, if --all is given, the entire Nix store. For each path, it checks that
|
• |
its contents match the NAR hash recorded in the Nix database; and | ||
|
• |
it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally (“ultimately trusted”). |
Exit status
The exit status of this command is the sum of the following values:
|
• |
1 if any path is corrupted (i.e. its contents don’t match the recorded NAR hash). | ||
|
• |
2 if any path is untrusted. | ||
|
• |
4 if any path couldn’t be verified for any other reason (such as an I/O error). |
Options
|
• |
--no-contents |
Do not verify the contents of each store path.
|
• |
--no-trust |
Do not verify whether each store path is trusted.
|
• |
--sigs-needed / -n n |
Require that each path has at least n valid signatures.
|
• |
--substituter / -s store-uri |
Use signatures from the specified store.
Common evaluation options:
|
• |
--arg name expr |
Pass the value expr as the argument name to Nix functions.
|
• |
--argstr name string |
Pass the string string as the argument name to Nix functions.
|
• |
--eval-store store-url |
The Nix store to use for evaluations.
|
• |
--impure |
Allow access to mutable paths and repositories.
|
• |
--include / -I path |
Add path to the list of locations used to look up <...> file names.
|
• |
--override-flake original-ref resolved-ref |
Override the flake registries, redirecting original-ref to resolved-ref.
Common flake-related options:
|
• |
--commit-lock-file |
Commit changes to the flake’s lock file.
|
• |
--inputs-from flake-url |
Use the inputs of the specified flake as registry entries.
|
• |
--no-registries |
Don’t allow lookups in the flake registries. This option is deprecated; use --no-use-registries.
|
• |
--no-update-lock-file |
Do not allow any updates to the flake’s lock file.
|
• |
--no-write-lock-file |
Do not write the flake’s newly generated lock file.
|
• |
--override-input input-path flake-url |
Override a specific flake input (e.g. dwarffs/nixpkgs). This implies --no-write-lock-file.
|
• |
--recreate-lock-file |
Recreate the flake’s lock file from scratch.
|
• |
--update-input input-path |
Update a specific flake input (ignoring its previous entry in the lock file).
Options that change the interpretation of installables:
|
• |
--all |
Apply the operation to every store path.
|
• |
--derivation |
Operate on the store derivation rather than its outputs.
|
• |
--expr expr |
Interpret installables as attribute paths relative to the Nix expression expr.
|
• |
--file / -f file |
Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input.
|
• |
--recursive / -r |
Apply operation to closure of the specified paths.