cargo-reproduce

Crates.iocargo-reproduce
lib.rscargo-reproduce
version0.1.0
created_at2025-09-28 15:10:00.575162+00
updated_at2025-09-28 15:10:00.575162+00
descriptionA Cargo subcommand for reproducible Rust builds. Normalizes the build environment, strips nondeterministic metadata, and verifies bit-for-bit reproducibility.
homepage
repositoryhttps://github.com/tommantonclery/cargo-reproduce
max_upload_size
id1858417
size35,364
Thomas Clery (tommantonclery)

documentation

README

cargo-reproduce

cargo-reproduce is a Cargo subcommand that helps you check if your Rust builds are really reproducible.
It sets up a consistent build environment, strips out things like timestamps and user paths, and then gives you a stable hash of the final binary.

Why should I care?

By default, Cargo builds are usually deterministic on the same machine, but not always reproducible across different machines or even different directories.
That means:

  • The same crate can produce slightly different binaries
  • It’s hard to prove that a binary you downloaded was built from the source it claims
  • Distros and companies who care about supply-chain security or compliance can’t rely on Cargo alone

This tool is an experiment to close that gap.

Quick start

Install from source:

cargo install --path cargo-reproduce

Build with reproducibility checks:

cargo repro build --strict

Later, verify the binary still matches:

cargo repro verify

Example

Two copies of the same crate in different directories:

# In hello-repro/
cargo repro build --strict
# → Reproducible build hash: ca6c0316891aafd83ec99d245d9e7268246a628beda789e4cc0ba1ea75388bb2

# In hello-repro-copy/
cargo repro build --strict
# → Reproducible build hash: ca6c0316891aafd83ec99d245d9e7268246a628beda789e4cc0ba1ea75388bb2

Both builds give the exact same hash ✅. That’s reproducibility.

How it works

  • Sets SOURCE_DATE_EPOCH to remove nondeterministic timestamps

  • Remaps absolute paths (crate root, Cargo home, target, home directory, etc.)

  • Clears out env vars like USERNAME and HOSTNAME

  • In --strict mode:

    • Turns off debug info (-C debuginfo=0)
    • Forces deterministic linking (/Brepro on MSVC, --no-insert-timestamp on GNU/LLD)
    • Runs llvm-strip to get rid of leftover metadata

Project status

This is an early prototype. It’s not production-ready, but it shows that reproducible Rust builds are possible today with the right flags. The hope is that this kind of work can help inform Cargo itself if/when reproducible builds become a first-class feature.

License

MIT © 2025 tommantonclery

Commit count: 0

cargo fmt