Questions about Reproducible builds

overuse · June 12, 2026, 4:31pm

In an ideal world , we would have every app and every app update audited , reproducible builds is a step in the right direction though , it at least verifies that the app you downloaded is built from the source code published , f-droid does a good job at checking this , are there any other simplified ways to do it and in other operating systems as well ? because it would be time consuming to do it manually with each app . Right now I install apps from github (and check the signature using PG’s Appverifier) , and use f-droid as source of update with obtainium , if the build is reproducible it will use the dev’s signature (and wouldn’t need to trust f-droid’s build environment) and update normally , is there a better way ? (that wouldn’t be too inconvenient) , Accrescent doesn’t check for reproducible builds afaik and even if they did they only have handful of apps

it seems github can verify reproducible builds with GitHub - actions/attest-build-provenance: Action for generating build provenance attestations for workflow artifacts · GitHub , maybe we should start asking devs to use it , or make github use it by default , I wonder if there is a way to make apps update only when the update can be reproducibly built

Also curious about web apps like Tuta/proton/etc … is there a way to verify it’s reproducibly built ?

nubeovejita27 · June 12, 2026, 4:59pm

For Android I do not think there is a low-effort universal answer yet. What you are doing is already the practical version: prefer the developer signature, use AppVerifier/Obtainium where it fits, and treat F-Droid reproducible builds as a useful extra signal rather than a magic guarantee. For normal family devices I would rather keep the app list small and boring than try to manually verify every update.

For web apps it is harder, because the server can send different JavaScript tomorrow or to different users. Reproducible builds help less there unless the service also has a verifiable release/distribution model.

overuse · June 12, 2026, 6:32pm

hopefully we can find better ways/tools , first we need to ask devs to implement reproducible builds and then why not have a crowdsourced database of checking it like we are doing with signatures , sure it’s more time/hardware demanding but the security benefits are worth it imo

any idea about Windows/Macos ? (i know homebrew has a reproducible builds page but my knowledge stops there)

overuse · June 13, 2026, 7:27am

izzydroid also verifies RB : Reproducible Builds - IzzyOnDroid

overuse · June 13, 2026, 9:48am

another RB verifier : GitHub - BarbossHack/reproducible: This repository verifies the reproducibility status of open-source messengers. · GitHub

overuse · June 13, 2026, 12:40pm

maybe this could be helpful for fellow GOS users : GitHub - lucasbeiler/reproducible-builds-grapheneos: Scripts and cloud-based workflows to automate build reproducibility testing of GrapheneOS releases. · GitHub

Topic		Replies	Views
Trust in Open Source Apps. How Sure Are We? Questions	3	321	September 11, 2024
Mullvad Android app is now reproducible Off Topic	3	444	May 10, 2025
Are F-Droid security concerns still valid or have they been mitigated? Questions	5	2044	June 13, 2024
Question about getting apps on android Questions please-eli5	6	405	March 23, 2026
F-Droid App store General	11	1887	December 11, 2023

Questions about Reproducible builds

Related topics