Reproducible Builds
This page explains how Toqen.app ensures that application builds can be independently verified and matched to the published source code.
TL;DR
- Each build is linked to a specific commit.
- Build metadata is exposed in the application.
- The same source produces the same build output.
- Anyone can verify that the app matches the published code.
- Transparency supports independent security review.
How to Verify a Build
Each application build includes metadata that identifies the exact source commit used during the build process.
- Open the application and navigate to settings or build information.
- Locate the commit hash or build identifier.
- Match the commit hash with the public repository.
- Verify that the code corresponds to the released version.
Commit to Build Mapping
Each published build is directly associated with a specific commit in the source repository.
- Build pipelines use the exact commit state without modification.
- Version identifiers include commit references where applicable.
- Build artifacts can be traced back to a single source revision.
- No hidden changes are introduced during the build process.
Ensuring Code Matches the Application
Reproducible builds ensure that the application distributed to users corresponds to the publicly available source code.
- The same source code produces the same build output under controlled conditions.
- Build steps are deterministic and documented.
- Dependencies and environments are defined to avoid variation.
- Independent parties can reproduce the build and compare results.