Skip to main content
Verifiable builds ensure that the binary deployed on-chain can be independently reproduced from source code. This is critical for security audits and establishing trust in deployed programs.

Why Verifiable Builds?

Building Solana programs with the standard toolchain can embed machine-specific information into the resulting binary. This means:
  • Building the same source code on different machines produces different binaries
  • It’s impossible to verify that deployed code matches the published source
  • Auditors cannot confirm the on-chain program matches reviewed code
Verifiable builds solve this by building inside a Docker container with pinned dependencies, ensuring identical outputs regardless of the build environment.

Prerequisites

Before creating verifiable builds, install Docker: Verify Docker is running:

Building with —verifiable

Anchor handles all Docker operations automatically. To create a verifiable build:
This command:
  1. Pulls the official Anchor Docker image for your version
  2. Mounts your project directory into the container
  3. Builds your program(s) in the isolated environment
  4. Outputs the compiled .so files to target/verifiable/
The first verifiable build downloads the Docker image (~1-2 GB) which may take several minutes. Subsequent builds are much faster.

Build Output

Verifiable builds create additional output:

Verifying Deployed Programs

To verify that a deployed program matches your local build:
Where:
  • <lib-name>: The library name from your program’s Cargo.toml
  • <program-id>: The on-chain program address

Example

The verification process:
  1. Builds your program verifiably
  2. Fetches the deployed program binary from the blockchain
  3. Compares the two binaries byte-by-byte
  4. If an IDL exists, verifies the on-chain IDL matches your local version

Verification Output

Success:
Failure:

Docker Images

Anchor publishes official Docker images on Docker Hub for each release.

Image Tags

Images follow the format: solanafoundation/anchor:v<version>

Image Contents

Each image includes:
  • Anchor CLI (matching version)
  • Solana CLI tools
  • Rust toolchain (specific version)
  • Build dependencies

Specifying Versions

Control which versions are used for verifiable builds through Anchor.toml:
Anchor.toml
When you run anchor build --verifiable, Anchor uses the Docker image matching your specified anchor_version.
If anchor_version is not specified in Anchor.toml, Anchor uses the version of your currently installed CLI, which may not match the deployed program.

Advanced Usage

Build Specific Programs

Build only certain programs from a multi-program workspace:

Custom Docker Image

Use a custom Docker image for builds:

Source Code Verification

For building from a specific commit:

Troubleshooting

Docker Container Issues

If a verifiable build is interrupted, the container may still be running:

Disk Space

Docker images consume significant disk space. Clean up old images:

Build Failures

Dependency Resolution Issues: If builds fail due to dependency resolution, ensure your Cargo.lock is committed:
Version Mismatches: Verify your local Anchor version matches Anchor.toml:
Use AVM to switch versions:

Permission Errors

On Linux, Docker may create files owned by root. Fix ownership:

CI/CD Integration

Integrate verifiable builds into your deployment pipeline:

GitHub Actions Example

.github/workflows/verifiable-build.yml

Best Practices

Never deploy programs built without the --verifiable flag to mainnet:
Specify exact versions in Anchor.toml to ensure reproducibility:
Always commit your Cargo.lock file:
This ensures dependency versions are locked across all builds.
Include verification steps in your README:
Verify the build process works before deploying:

Security Considerations

  • Source Code Availability: Publish your source code in a public repository
  • Commit Hash: Document which commit corresponds to deployed versions
  • Build Reproducibility: Test that multiple people can reproduce your build
  • Upgrade Authority: Consider program upgradeability when planning verifiable deployments

Resources