Using `--check` to Verify Build Determinism and Handling Non-Deterministic Builds

If the build passes and is deterministic, Nix will exit with a status code of 0: ```console $ nix-build ./deterministic.nix --attr stable this derivation will be built: /nix/store/z98fasz2jqy9gs0xbvdj939p27jwda38-stable.drv building '/nix/store/z98fasz2jqy9gs0xbvdj939p27jwda38-stable.drv'... /nix/store/yyxlzw3vqaas7wfp04g0b1xg51f2czgq-stable $ nix-build ./deterministic.nix --attr stable --check checking outputs of '/nix/store/z98fasz2jqy9gs0xbvdj939p27jwda38-stable.drv'... /nix/store/yyxlzw3vqaas7wfp04g0b1xg51f2czgq-stable ``` If the build is not deterministic, Nix will exit with a status code of 1: ```console $ nix-build ./deterministic.nix --attr unstable this derivation will be built: /nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv building '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv'... /nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable $ nix-build ./deterministic.nix --attr unstable --check checking outputs of '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv'... error: derivation '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv' may not be deterministic: output '/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable' differs ``` In the Nix daemon's log, we will now see: ``` For derivation /nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv: 1c1 < 8108 --- > 30204 ``` Using `--check` with `--keep-failed` will cause Nix to keep the second build's output in a special, `.check` path: ```console $ nix-build ./deterministic.nix --attr unstable --check --keep-failed checking outputs of '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv'... note: keeping build directory '/tmp/nix-build-unstable.drv-0' error: derivation '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv' may not be deterministic: output '/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable' differs from '/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable.check' ``` In particular, notice the `/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable.check` output. Nix has copied the build results to that directory where you can examine it. > []{#check-dirs-are-unregistered} **Note** > > Check paths are not protected against garbage collection, and this > path will be deleted on the next garbage collection. > > The path is guaranteed to be alive for the duration of > the `diff-hook`'s execution, but may be deleted any time after. > > If the comparison is performed as part of automated tooling, please > use the diff-hook or author your tooling to handle the case where the > build was not deterministic and also a check path does not exist. `--check` is only usable if the derivation has been built on the system already. If the derivation has not been built Nix will fail with the error: error: some outputs of '/nix/store/hzi1h60z2qf0nb85iwnpvrai3j2w7rr6-unstable.drv' are not valid, so checking is not possible Run the build without `--check`, and then try with `--check` again.

This section details how to use the `--check` flag with `nix-build` to verify build determinism. It shows examples of both deterministic (exit code 0) and non-deterministic (exit code 1) builds. It also explains how to use `--keep-failed` to retain the `.check` path for failed builds, allowing examination of differences. It emphasizes that `.check` paths are not garbage collection protected after the `diff-hook`'s execution. Furthermore, it points out that `--check` can only be used after the derivation has been built at least once.