🧱 Bitcoin Core Reproducible Build: Web of Trust Diagram

[1] Official Source Release (v29.0)

|

|---> Signed Git tag by maintainer (e.g., Glozow)

| |

| `---> Tag is GPG-signed by: F19F5FF2B0589EC341220045BA03F4DBE0C63FB4

|

[2] Independent Builders Clone Repo

|

|---> hebasto ---> git checkout v29.0

| ---> guix build

| ---> generate hash + .buildinfo + manifest

| ---> sign the hash with GPG

|

|---> fanquake ---> same steps

|

|---> others ---> same steps

|

[3] Submit signatures to guix.sigs

|

`---> Each signature (.sig) matches the same commit/hash

|

`---> Verified: Everyone built the exact same binary from the same source

[4] Anyone can verify:

|

|---> Compare hashes of downloaded binaries

|---> Check `.sig` files against public GPG keys of signers

|

`---> Trust is built because:

Multiple builders + identical outputs + verified GPG signatures