Skip to content
Latchkey

How to Produce Reproducible Builds as Evidence

A build that yields the same digest twice is verifiable evidence that the shipped artifact matches the reviewed source.

Reproducibility lets anyone confirm an artifact came from the reviewed source. Pin the toolchain, set SOURCE_DATE_EPOCH to strip timestamps, and rebuild to compare digests. This page shows the pattern; it is educational supply-chain guidance.

Steps

  • Pin the toolchain and base image by exact version or digest.
  • Set SOURCE_DATE_EPOCH so timestamps are deterministic.
  • Rebuild in a second job and assert the digest matches.

Deterministic build and verify

.github/workflows/ci.yml
jobs:
  build:
    runs-on: ubuntu-latest
    env:
      SOURCE_DATE_EPOCH: ${{ github.event.repository.pushed_at }}
    steps:
      - uses: actions/checkout@v4
      - run: |
          make build
          sha256sum dist/app.tgz | tee digest-1.txt
      - run: |
          make clean && make build
          sha256sum dist/app.tgz | tee digest-2.txt
      - run: diff <(cut -d' ' -f1 digest-1.txt) <(cut -d' ' -f1 digest-2.txt) \
             || { echo "Build not reproducible"; exit 1; }

Notes

  • Unpinned dependencies and embedded timestamps are the usual causes of non-determinism.
  • Publish the digest alongside provenance so third parties can reproduce and verify.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →