diff --git a/app/flatpak-builtins-build-export.c b/app/flatpak-builtins-build-export.c
index 5de89d62..bf6bdb52 100644
--- a/app/flatpak-builtins-build-export.c
+++ b/app/flatpak-builtins-build-export.c
@@ -458,7 +458,7 @@ validate_desktop_file (GFile      *desktop_file,
   subprocess = g_subprocess_new (G_SUBPROCESS_FLAGS_STDOUT_PIPE |
                                  G_SUBPROCESS_FLAGS_STDERR_PIPE |
                                  G_SUBPROCESS_FLAGS_STDERR_MERGE,
-                                 &local_error, "desktop-file-validate", path, NULL);
+                                 &local_error, "@dfu@/bin/desktop-file-validate", path, NULL);
   if (!subprocess)
     {
       if (!g_error_matches (local_error, G_SPAWN_ERROR, G_SPAWN_ERROR_NOENT))
diff --git a/tests/libtest.sh b/tests/libtest.sh
index e64be49f..a9a53e12 100644
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -367,7 +367,7 @@ if [ -z "${FLATPAK_BWRAP:-}" ]; then
     # running installed-tests: assume we know what we're doing
     _flatpak_bwrap_works=true
 elif ! "$FLATPAK_BWRAP" --unshare-ipc --unshare-net --unshare-pid \
-        --ro-bind / / /bin/true > bwrap-result 2>&1; then
+        --ro-bind / / @coreutils@/bin/true > bwrap-result 2>&1; then
     _flatpak_bwrap_works=false
 else
     _flatpak_bwrap_works=true
@@ -440,7 +440,7 @@ dbus-daemon --fork --config-file=session.conf --print-address=3 --print-pid=4 \
 export DBUS_SESSION_BUS_ADDRESS="$(cat dbus-session-bus-address)"
 DBUS_SESSION_BUS_PID="$(cat dbus-session-bus-pid)"
 
-if ! /bin/kill -0 "$DBUS_SESSION_BUS_PID"; then
+if ! @coreutils@/bin/kill -0 "$DBUS_SESSION_BUS_PID"; then
     assert_not_reached "Failed to start dbus-daemon"
 fi
 
@@ -449,7 +449,7 @@ gdb_bt () {
 }
 
 cleanup () {
-    /bin/kill -9 $DBUS_SESSION_BUS_PID
+    @coreutils@/bin/kill -9 $DBUS_SESSION_BUS_PID
     gpg-connect-agent --homedir "${FL_GPG_HOMEDIR}" killagent /bye || true
     fusermount -u $XDG_RUNTIME_DIR/doc || :
     kill $(jobs -p) &> /dev/null || true
diff --git a/tests/make-test-app.sh b/tests/make-test-app.sh
index e51e21a6..7d39efb5 100755
--- a/tests/make-test-app.sh
+++ b/tests/make-test-app.sh
@@ -149,13 +149,13 @@ msgid "Hello world"
 msgstr "Hallo Welt"
 EOF
 mkdir -p ${DIR}/files/de/share/de/LC_MESSAGES
-msgfmt --output-file ${DIR}/files/de/share/de/LC_MESSAGES/helloworld.mo de.po
+@gettext@/bin/msgfmt --output-file ${DIR}/files/de/share/de/LC_MESSAGES/helloworld.mo de.po
 cat > fr.po <<EOF
 msgid "Hello world"
 msgstr "Bonjour le monde"
 EOF
 mkdir -p ${DIR}/files/fr/share/fr/LC_MESSAGES
-msgfmt --output-file ${DIR}/files/fr/share/fr/LC_MESSAGES/helloworld.mo fr.po
+@gettext@/bin/msgfmt --output-file ${DIR}/files/fr/share/fr/LC_MESSAGES/helloworld.mo fr.po
 
 flatpak build-finish ${DIR}
 mkdir -p repos
diff --git a/tests/make-test-runtime.sh b/tests/make-test-runtime.sh
index 5d2c309b..cf61a3cf 100755
--- a/tests/make-test-runtime.sh
+++ b/tests/make-test-runtime.sh
@@ -25,9 +25,10 @@ EOF
 
 # On Debian derivatives, /usr/sbin and /sbin aren't in ordinary users'
 # PATHs, but ldconfig is kept in /sbin
-PATH="$PATH:/usr/sbin:/sbin"
+PATH="$PATH:@socat@/bin:/usr/sbin:/sbin"
 
 # Add bash and dependencies
+mkdir -p ${DIR}/nix/store
 mkdir -p ${DIR}/usr/bin
 mkdir -p ${DIR}/usr/lib
 ln -s ../lib ${DIR}/usr/lib64
@@ -37,48 +38,24 @@ if test -f /sbin/ldconfig.real; then
 else
     cp `which ldconfig` ${DIR}/usr/bin
 fi
-LIBS=`mktemp`
-BINS=`mktemp`
-
-add_bin() {
-    local f=$1
-    shift
-
-    if grep -qFe "${f}" $BINS; then
-        # Already handled
-        return 0
-    fi
-
-    echo $f >> $BINS
-
-    # Add library dependencies
-    (ldd "${f}" | sed "s/.* => //"  | awk '{ print $1}' | grep ^/ | sort -u -o $LIBS $LIBS -)  || true
-
-    local shebang=$(sed -n '1s/^#!\([^ ]*\).*/\1/p' "${f}")
-    if [ x$shebang != x ]; then
-        add_bin "$shebang"
-    fi
-}
-
 for i in $@ bash ls cat echo readlink socat; do
-    I=`which $i`
-    add_bin $I
-done
-for i in `cat $BINS`; do
-    #echo Adding binary $i 1>&2
-    cp "$i" ${DIR}/usr/bin/
-done
-for i in `cat $LIBS`; do
-    #echo Adding library $i 1>&2
-    cp "$i" ${DIR}/usr/lib/
+    I=$(readlink -f $(which $i))
+    [ -e ${DIR}/usr/bin/$i ] && continue
+    requisites=$(nix-store --query --requisites "$I")
+    for r in $requisites; do
+        # a single store item can be needed by multiple paths, no need to copy it again
+        if [ ! -e ${DIR}/$r ]; then
+            cp -r $r ${DIR}/$r
+        fi
+    done
+    ln -s $I ${DIR}/usr/bin/$i
 done
 ln -s bash ${DIR}/usr/bin/sh
 
-# We copy the C.UTF8 locale and call it en_US. Its a bit of a lie, but
-# the real en_US locale is often not available, because its in the
-# local archive.
-mkdir -p ${DIR}/usr/lib/locale/
-cp -r /usr/lib/locale/C.* ${DIR}/usr/lib/locale/en_US
+mv ${DIR}/nix/store ${DIR}/usr/store # files outside /usr are not permitted, we will have to replace /nix/store with /usr/store
+chmod -R u+w ${DIR} # nix store has read-only directories which would cause problems during clean-up, files need to be writable for sed
+find ${DIR} -type f -print0 | xargs -0 sed -i 's~/nix/store/~/usr/store/~g' # replace hardcoded paths
+find ${DIR} -type l | xargs -I '{}' sh -c 'tg="$(readlink "$1")"; newtg="${tg#/nix/store/}"; if [ "$tg" != "$newtg" ]; then ln -fs "/usr/store/$newtg" "$1"; fi' -- '{}' # replace symlink targets
 
 if [ x$COLLECTION_ID != x ]; then
     collection_args=--collection-id=${COLLECTION_ID}
diff --git a/tests/testlibrary.c b/tests/testlibrary.c
index 44ae28e3..76bf619f 100644
--- a/tests/testlibrary.c
+++ b/tests/testlibrary.c
@@ -1343,7 +1343,7 @@ check_bwrap_support (void)
     {
       gint exit_code = 0;
       char *argv[] = { (char *) bwrap, "--unshare-ipc", "--unshare-net",
-                       "--unshare-pid", "--ro-bind", "/", "/", "/bin/true", NULL };
+                       "--unshare-pid", "--ro-bind", "/", "/", "@coreutils@/bin/true", NULL };
       g_autofree char *argv_str = g_strjoinv (" ", argv);
       g_test_message ("Spawning %s", argv_str);
       g_spawn_sync (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL, &exit_code, &error);
diff --git a/triggers/desktop-database.trigger b/triggers/desktop-database.trigger
index 2188f535..d8283061 100755
--- a/triggers/desktop-database.trigger
+++ b/triggers/desktop-database.trigger
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-if test \( -x "$(which update-desktop-database 2>/dev/null)" \) -a \( -d $1/exports/share/applications \); then
-    exec update-desktop-database -q $1/exports/share/applications
+if test \( -d $1/exports/share/applications \); then
+    exec @dfu@/bin/update-desktop-database -q $1/exports/share/applications
 fi
diff --git a/triggers/gtk-icon-cache.trigger b/triggers/gtk-icon-cache.trigger
index 711cfab2..07baa2ac 100755
--- a/triggers/gtk-icon-cache.trigger
+++ b/triggers/gtk-icon-cache.trigger
@@ -1,10 +1,10 @@
 #!/bin/sh
 
-if test \( -x "$(which gtk-update-icon-cache 2>/dev/null)" \) -a \( -d $1/exports/share/icons/hicolor \); then
-    cp /usr/share/icons/hicolor/index.theme $1/exports/share/icons/hicolor/
+if test \( -d $1/exports/share/icons/hicolor \); then
+    cp @hicolorIconTheme@/share/icons/hicolor/index.theme $1/exports/share/icons/hicolor/
     for dir in $1/exports/share/icons/*; do
         if test -f $dir/index.theme; then
-            if ! gtk-update-icon-cache --quiet $dir; then
+            if ! @gtk3@/bin/gtk-update-icon-cache --quiet $dir; then
                 echo "Failed to run gtk-update-icon-cache for $dir"
                 exit 1
             fi
diff --git a/triggers/mime-database.trigger b/triggers/mime-database.trigger
index 2067d8ec..a49a8777 100755
--- a/triggers/mime-database.trigger
+++ b/triggers/mime-database.trigger
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-if test \( -x "$(which update-mime-database 2>/dev/null)" \) -a \( -d $1/exports/share/mime/packages \); then
-    exec update-mime-database $1/exports/share/mime
+if test \( -d $1/exports/share/mime/packages \); then
+    exec @smi@/bin/update-mime-database $1/exports/share/mime
 fi