DOKK / manpages / debian 12 / nix-bin / nix3-store-verify.1.en
nix3-store-verify(1) General Commands Manual nix3-store-verify(1)

Warning: This program is experimental and its interface is subject to change.

nix store verify - verify the integrity of store paths

nix store verify [option…] installables

Verify the entire Nix store:

# nix store verify --all
Check whether each path in the closure of Firefox has at least 2 signatures:

# nix store verify -r -n2 --no-contents $(type -p firefox)
Verify a store path in the binary cache https://cache.nixos.org/:

# nix store verify --store https://cache.nixos.org/ \


  /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10

This command verifies the integrity of the store paths installables, or, if --all is given, the entire Nix store. For each path, it checks that

  • its contents match the NAR hash recorded in the Nix database; and
  • it is trusted, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally (“ultimately trusted”).

The exit status of this command is the sum of the following values:

  • 1 if any path is corrupted (i.e. its contents don’t match the recorded NAR hash).
  • 2 if any path is untrusted.
  • 4 if any path couldn’t be verified for any other reason (such as an I/O error).

  • --no-contents
    Do not verify the contents of each store path.
  • --no-trust
    Do not verify whether each store path is trusted.
  • --sigs-needed / -n n
    Require that each path has at least n valid signatures.
  • --substituter / -s store-uri
    Use signatures from the specified store.

Common evaluation options:

  • --arg name expr
    Pass the value expr as the argument name to Nix functions.
  • --argstr name string
    Pass the string string as the argument name to Nix functions.
  • --eval-store store-url
    The Nix store to use for evaluations.
  • --impure
    Allow access to mutable paths and repositories.
  • --include / -I path
    Add path to the list of locations used to look up <...> file names.
  • --override-flake original-ref resolved-ref
    Override the flake registries, redirecting original-ref to resolved-ref.

Common flake-related options:

  • --commit-lock-file
    Commit changes to the flake’s lock file.
  • --inputs-from flake-url
    Use the inputs of the specified flake as registry entries.
  • --no-registries
    Don’t allow lookups in the flake registries. This option is deprecated; use --no-use-registries.
  • --no-update-lock-file
    Do not allow any updates to the flake’s lock file.
  • --no-write-lock-file
    Do not write the flake’s newly generated lock file.
  • --override-input input-path flake-url
    Override a specific flake input (e.g. dwarffs/nixpkgs). This implies --no-write-lock-file.
  • --recreate-lock-file
    Recreate the flake’s lock file from scratch.
  • --update-input input-path
    Update a specific flake input (ignoring its previous entry in the lock file).

Options that change the interpretation of installables:

  • --all
    Apply the operation to every store path.
  • --derivation
    Operate on the store derivation rather than its outputs.
  • --expr expr
    Interpret installables as attribute paths relative to the Nix expression expr.
  • --file / -f file
    Interpret installables as attribute paths relative to the Nix expression stored in file. If file is the character -, then a Nix expression will be read from standard input.
  • --recursive / -r
    Apply operation to closure of the specified paths.