As part of our work at RSK to strengthen our infrastructure, we started an effort to publish reproducible builds of our dependencies. Since we’re in the process of upgrading BouncyCastle, we decided to start with this library: https://github.com/rsksmart/reproducible-builds/tree/master/bouncycastle/1.59.
In that repository, we published a Dockerfile with the recipe to build BouncyCastle 1.59 in a reproducible way: the same JAR, bit by bit, can be verified independently from these open sources.
We also decided to expose and compile the lightweight API JAR file, since we are not signing the JAR and can’t take advantage of the JCE provider.
Our end goal is to collaborate to support reproducible builds upstream, so let us know if you are interested in integrating this into your release process.