How to change epoch for a derivation?


I am currently trying to build a derivation that uses a darwin application (the ones with the .app extension).

The derivation is pretty straightforward:

pkgs.stdenv.mkDerivation {
  name = "cypress";
  unpackPhase = "unzip $src -d $out > /dev/null";
  buildInputs = [pkgs.unzip];
  src = pkgs.fetchurl {
    url = "";
    sha256 = "sha256-mEaNNblRwcmEeQR8VV+0zbRCPtzxxUEyT5ktSg/x6UU=";

After building I end up with the following binary:

$ ls -la /nix/store/cr2qvy5zinjlc7h1rfz8m50dav34492v-cypress/
-r-xr-xr-x  1 root  wheel  69536 Dec 31  1969 /nix/store/cr2qvy5zinjlc7h1rfz8m50dav34492v-cypress/

When I try to execute it on my machine, I am getting the following error:


I suspect this error is caused by the fact that all files within the nix store have a epoch=1, which triggers the OS antivirus.

So here’s the question: Is there a way to make files in the nix store have a different epoch so the darwin antivirus does not trigger when it tries to execute them?

Any extra information on how to build darwin .app packages would be greatly appreciated.


1 Like

This is by design:

  • Metadata on files in the Nix store is canonicalised after builds: the last-modified timestamp is set to 0 (00:00:00 1/1/1970), the mode is set to 0444 or 0555 (readable and possibly executable by all; setuid/setgid bits are dropped), and the group is set to the default. This ensures that the result of a build and an installation through a substitute is the same; and that timestamp dependencies are revealed.

@waffle8946 Thank you!

I will investigate ways of disabling the darwin antivirus for the /nix/store path.