Reproducible build verification via Docker

[Th0rgal]

Context

SafeLens publishes SHA256SUMS.txt with each release, but users currently trust that CI produced the artifacts honestly. There is no independent way to reproduce an identical build and verify the hashes match.

VERIFY.md already documents the reproducibility limitations (code signing, timestamps, system libraries). A containerized build environment would eliminate most of these variables and let anyone independently verify release artifacts.

Proposal

Add a Dockerfile.verify that reproduces the release build in a deterministic environment:

docker build -f Dockerfile.verify \
  --build-arg TAG=v0.4.0 \
  --output type=local,dest=./verify-output .

The container would:

1. Start from a pinned base image (e.g., rust:1.93.1-bookworm)
2. Install exact pinned versions of Bun, system libraries
3. Clone the repo at the specified release tag
4. Run bun install --frozen-lockfile and bun run build:tauri
5. Output the built artifacts and their SHA-256 hashes to verify-output/SHA256SUMS.txt

Users compare the container's SHA256SUMS.txt against the one published in the GitHub release. If they match, the release artifacts are faithful to the source.

Scope

• Dockerfile.verify with pinned base image + toolchain versions
• scripts/verify-release.sh wrapper that builds and compares hashes
• Document the workflow in VERIFY.md
• CI job that runs the containerized build on each release tag and asserts hash match against the regular build

Limitations to address

• Code signing: Container builds won't be code-signed. Compare unsigned artifacts only, or strip signatures before hashing.
• Platform matrix: Start with Linux x64 only (easiest to reproduce). macOS/Windows builds are harder due to system library differences.
• Build cache: Docker layer caching must not affect output. Use --no-cache for verification runs.

Prior art

• tornado-ipfs-ui — Dockerized reproducible build for IPFS hash verification
• Reproducible Builds — General standards and tooling

Why this matters for SafeLens

SafeLens is an offline transaction verifier — users trust it with signing decisions. If the binary doesn't match the source, that trust is misplaced. Reproducible builds close this gap.