aboutsummaryrefslogtreecommitdiff
path: root/src/nix/verify.md
blob: cc1122c02cdfecca0e6cce5f7a28c603dba9dd06 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
R""(

# Examples

* Verify the entire Nix store:

  ```console
  # nix store verify --all
  ```

* Check whether each path in the closure of Firefox has at least 2
  signatures:

  ```console
  # nix store verify -r -n2 --no-contents $(type -p firefox)
  ```

* Verify a store path in the binary cache `https://cache.nixos.org/`:

  ```console
  # nix store verify --store https://cache.nixos.org/ \
      /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10
  ```

# Description

This command verifies the integrity of the store paths [*installables*](./nix.md#installables),
or, if `--all` is given, the entire Nix store. For each path, it
checks that

* its contents match the NAR hash recorded in the Nix database; and

* it is *trusted*, that is, it is signed by at least one trusted
  signing key, is content-addressed, or is built locally ("ultimately
  trusted").

# Exit status

The exit status of this command is the sum of the following values:

* **1** if any path is corrupted (i.e. its contents don't match the
  recorded NAR hash).

* **2** if any path is untrusted.

* **4** if any path couldn't be verified for any other reason (such as
  an I/O error).

)""