2 files changed, 53 insertions, 11 deletions

diff --git a/src/nix/verify.cc b/src/nix/verify.cc
index bcf85d7dd..16d42349f 100644
--- a/src/nix/verify.cc
+++ b/src/nix/verify.cc
@@ -35,18 +35,11 @@ struct CmdVerify : StorePathsCommand
         return "verify the integrity of store paths";
     }
 
-    Examples examples() override
+    std::string doc() override
     {
-        return {
-            Example{
-                "To verify the entire Nix store:",
-                "nix store verify --all"
-            },
-            Example{
-                "To check whether each path in the closure of Firefox has at least 2 signatures:",
-                "nix store verify -r -n2 --no-contents $(type -p firefox)"
-            },
-        };
+        return
+          #include "verify.md"
+          ;
     }
 
     void run(ref<Store> store, StorePaths storePaths) override
diff --git a/src/nix/verify.md b/src/nix/verify.md
new file mode 100644
index 000000000..1c43792e7
--- /dev/null
+++ b/src/nix/verify.md
@@ -0,0 +1,49 @@
+R""(
+
+# Examples
+
+* Verify the entire Nix store:
+
+  ```console
+  # nix store verify --all
+  ```
+
+* Check whether each path in the closure of Firefox has at least 2
+  signatures:
+
+  ```console
+  # nix store verify -r -n2 --no-contents $(type -p firefox)
+  ```
+
+* Verify a store path in the binary cache `https://cache.nixos.org/`:
+
+  ```console
+  # nix store verify --store https://cache.nixos.org/ \
+      /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
+  ```
+
+# Description
+
+This command verifies the integrity of the store paths *installables*,
+or, if `--all` is given, the entire Nix store. For each path, it
+checks that
+
+* its contents match the NAR hash recorded in the Nix database; and
+
+* it is *trusted*, that is, it is signed by at least one trusted
+  signing key, is content-addressed, or is built locally ("ultimately
+  trusted").
+
+# Exit status
+
+The exit status of this command is the sum of the following values:
+
+* **1** if any path is corrupted (i.e. its contents don't match the
+  recorded NAR hash).
+
+* **2** if any path is untrusted.
+
+* **4** if any path couldn't be verified for any other reason (such as
+  an I/O error).
+
+)""