[Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

Eelco Dolstra eelco.dolstra at logicblox.com
Thu Mar 10 11:28:52 CET 2016


Hi,

On 09/03/16 15:58, Matthias Beyer wrote:

> I have a question. When calling `nix-store --verify-path /nix/store/something`,
> it verifies that the contents of the store path haven't been altered by an
> attacker or some other corruption like bitflips or something, am I right?
> 
> It does so by comparing the hashsum of the directory contents with a hash sum
> stored in some database, am I right?
> 
> How to know that the database isn't corrupt?

You can't.

However, if the binary comes from the binary cache, you can (manually) verify
the hash against the binary cache. In Nix 1.12, you can query the binary cache
for the hash of a store path as follows:

  $ NIX_REMOTE=https://cache.nixos.org/ nix-store -q --hash PATH

In the future Nix will probably store binary cache signatures in its database,
and provide a command to check local paths against binary caches.

-- 
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/


More information about the nix-dev mailing list