Nix Store Verification Command (`nix store verify`)

R""( # Examples * Verify the entire Nix store: ```console # nix store verify --all ``` * Check whether each path in the closure of Firefox has at least 2 signatures: ```console # nix store verify --recursive --sigs-needed 2 --no-contents $(type -p firefox) ``` * Verify a store path in the binary cache `https://cache.nixos.org/`: ```console # nix store verify --store https://cache.nixos.org/ \ /nix/store/v5sv61sszx301i0x6xysaqzla09nksnd-hello-2.10 ``` # Description This command verifies the integrity of the store paths [*installables*](./nix.md#installables), or, if `--all` is given, the entire Nix store. For each path, it checks that * its contents match the NAR hash recorded in the Nix database; and * it is *trusted*, that is, it is signed by at least one trusted signing key, is content-addressed, or is built locally ("ultimately trusted"). # Exit status The exit status of this command is the sum of the following values: * **1** if any path is corrupted (i.e. its contents don't match the recorded NAR hash). * **2** if any path is untrusted. * **4** if any path couldn't be verified for any other reason (such as an I/O error). )""

The `nix store verify` command is used to check the integrity and trustworthiness of paths within the Nix store. It can verify specific installables, a closure of paths, or the entire store using the `--all` option. The command ensures a path's contents match its recorded NAR hash and that it is trusted (e.g., signed, content-addressed, or locally built). Examples show how to verify the entire store, check paths for a minimum number of signatures, and verify against a binary cache. The command provides an exit status indicating different types of failures: 1 for corrupted paths, 2 for untrusted paths, and 4 for other verification issues like I/O errors.