We are planning to release an email privacy software and make the source code available for peer review. How can a reviewer be certain that the app we publish is made from the source code that he reviews?
Even if the reviewer spent several days creating the development environment with all the tools and libraries, and then built the executable using the same tools as us, he'll still not get an identical exe file. This is because before building we must sign our code with Sectigo and Microsoft tokens. Those are physical tokens and we cannot give them to the reviewer. So if the reviewer were to compare hash of his and our build, they'd come out different.
I don't know if this makes any difference, but most of our app is written in Python and PyQ, but some parts are in C++.
So the real question is how can the user be certain that the app that is supposed to protect his privacy really does that, rather than perhaps spying on him?
