Verification

• nix verify is a shorthand for nix store verify
• nix store verify
• nix-store –verify/–verify-path

All three are implemented separately but perform essentially the same thing.

1. get pathInfo with store->queryPathInfo
2. get path's hash from store->narFromPath
3. compare
4. (nix3) verify sigs

queryPathInfo is implemented in mysterious ways in store-api.cc, which essentially boils down to pulling the info from a sqlite db. narFromPath is virtual, and as far as I can tell the default store implementation is local-fs-store.cc.

Stores path-info, implemented in nar-info-disk-cache.cc. Gets populated and read on queries, i.e. queryPathInfo. Contains, most notably, file and nar hashes, and sigs.

local-fs-store.cc implements it by reading actuall store path. Other store implementations just run local-fs's function, thus seemingly db is independent from the store.

nix store verify seems to be the most sophisticated of the three. Apart from doing nix-store's thing nix3 verifies signatures - first the local ones, then the ones available from substituters. Verification entails comparing path's fingerprint - i.e. refs, path and hash, signed to signatures provided. Fingerprint is obtained from local path info.