Packaging Binary Distributions for Nix

Extract and patch binary packages within Nix builds for reproducibility.

Core Principle

Source from original archive directly, never from pre-extracted directories.

When to Use

• Converting binary packages (.deb, .rpm, .tar.gz, .zip) to Nix derivations
• Packaging proprietary/closed-source software distributed as binaries
• Electron/GUI apps show "library not found" errors
• User provides pre-extracted binary contents
• Binary distributions need library path fixes

Don't use for:

• Software available in nixpkgs
• Source-based packages (use standard derivation)
• AppImages (use appimage-run or extract and patch)

Quick Reference

Topic	Rule File
Core pattern for .deb packages	essential-pattern
.rpm, .tar.gz, .zip extraction	archive-formats
nativeBuildInputs vs buildInputs	dependencies
Local vs remote source files	source-files
Common pitfalls and fixes	common-mistakes
Finding missing libraries with ldd	finding-libraries
Quick testing with steam-run	quick-testing
Troubleshooting autoPatchelf errors	troubleshooting-autoPatchelf
Version variable in filename	version-management
Electron app dependencies	electron-apps
FHS env for resistant binaries	advanced-fhs-env
Build phases and hooks	build-phases
Wrapper scripts with makeWrapper	wrapper-programs

Essential Pattern (.deb)

{ pkgs }:

pkgs.stdenv.mkDerivation rec {
  pname = "appname";
  version = "1.0.0";

  src = ./AppName-${version}-linux-amd64.deb;

  nativeBuildInputs = with pkgs; [
    autoPatchelfHook  # Fixes library paths
    dpkg              # Extracts .deb
  ];

  buildInputs = with pkgs; [
    stdenv.cc.cc.lib
    glib
    gtk3
  ];

  unpackPhase = ''
    ar x $src
    tar xf data.tar.xz
  '';

  installPhase = ''
    mkdir -p $out
    cp -r opt/AppName/* $out/
  '';
}

Common Tasks

Task	Solution
Local archive	src = ./package-${version}.tar.gz
Remote archive	src = fetchurl { url = "..."; hash = "sha256-..."; }
Extract .deb	ar x $src && tar xf data.tar.xz + dpkg
Extract .rpm	rpm2cpio $src | cpio -idmv + rpm, cpio
Extract .tar.gz	Auto-detected by stdenv
Extract .zip	Add unzip to nativeBuildInputs
Fix libraries	Add autoPatchelfHook to nativeBuildInputs
Find missing libs	Run ldd result/bin/app for "not found"
Quick test binary	nix-shell -p steam-run; steam-run ./binary
Debug autoPatchelf	nix log /nix/store/...-drv
Search libraries	nix-locate libX11.so.6
Wrapper scripts	Add makeWrapper to nativeBuildInputs
Version sync	Use src = ./app-${version}.tar.gz

Dependency Categories

nativeBuildInputs: Build-time tools (dpkg, autoPatchelfHook, makeWrapper)
buildInputs: Runtime libraries (gtk3, glib, libpulseaudio)
propagatedBuildInputs: Rarely needed for binary packaging

Common Library Mappings

Missing Library	Nix Package
libgtk-3.so.0	gtk3
libglib-2.0.so.0	glib
libpulse.so.0	libpulseaudio
libGL.so.1	mesa or libglvnd
libxkbcommon.so.0	libxkbcommon (NOT xorg.libxkbcommon)
libstdc++.so.6	stdenv.cc.cc.lib

Red Flags - STOP

• "User already extracted it, use that directory" → NO, source from original archive
• "Absolute path works for me locally" → Breaks for others, use relative
• "Just add more libraries until it works" → Find actual dependencies with ldd

How to Use

Read individual rule files for detailed explanations and code examples:

rules/essential-pattern.md
rules/archive-formats.md
rules/_sections.md

Each rule file contains:

• Brief explanation of why it matters
• Incorrect code example with explanation
• Correct code example with explanation
• Additional context and references

Full Compiled Document

For the complete guide with all rules expanded: AGENTS.md