Reproducible Builds
Reproducible builds allow anyone to verify that a binary was built from a specific source commit.
Requirements
- Docker
- just (optional, for convenience commands)
Build Environment
| Component | Version |
|---|---|
| Rust | 1.85.0 |
| Base Image | rust:1.85.0-slim-bookworm |
| Build Flags | -C strip=symbols -C codegen-units=1 |
Building
# Using just
just build-reproducible
# Or directly with Docker
docker build -f Dockerfile.reproducible -o type=local,dest=./dist .
The binary will be output to dist/keep.
Verification
Verify two builds match
just verify-reproducible
Verify against expected hash
just verify-sha <expected_sha256_hash>
Manual verification
docker build -f Dockerfile.reproducible -o type=local,dest=./dist .
sha256sum dist/keep
Release Hashes
Expected hashes for official releases will be published in release notes.
Technical Details
Reproducibility is achieved through:
- Pinned Rust version via
rust-toolchain.tomland Docker image tag - Locked dependencies via
Cargo.lockand--lockedflag - Stripped symbols removing non-deterministic debug info
- Single codegen unit ensuring consistent compilation order
- Fixed SOURCE_DATE_EPOCH for deterministic embedded timestamps
CI Verification
Every PR and push to main runs the reproducibility check, building twice and comparing hashes.