Reproducible Builds

Reproducible builds (also called deterministic builds) are software build processes in which, given identical source code and a fully specified build environment, independent compilations always yield bit-for-bit identical binaries, regardless of who runs the build or when and where. That property turns an otherwise opaque step, the compilation of source into the executable you actually run, into something anyone can independently verify.

The supply-chain problem it solves

Most users download pre-compiled binaries and simply trust that they correspond to the published source. An attacker, or a compromised build server, could slip malicious code into the binary while leaving the public source clean. Reproducible builds close that gap: multiple independent parties rebuild from the same source and confirm they get the same output, so a tampered binary stands out immediately. This is a strong defense against the kind of targeted supply-chain attack that matters acutely when a binary controls Bitcoin keys or miner hardware.

Where it shows up

Bitcoin Core and many wallets use a multi-builder reproducible (Guix) process precisely so that independent contributors can sign off on identical artifacts. Achieving reproducibility requires eliminating uncontrolled inputs such as timestamps, build paths, and locale, so the result depends only on the source and a declared toolchain.

Reproducible builds work hand in hand with signing tools like PGP / GPG and minisign / signify: rebuilders verify the bits, then sign them so others can trust the verification without redoing it.