Rebuild the same Containerfile with the same packages and you'll get a different image hash. This isn't a bug—it's the default behavior of container builds, and it breaks verification, caching, and supply chain security.

This talk explores the surprisingly hard problem of reproducible container builds. We'll dissect exactly what breaks reproducibility—timestamps, SQLite journal modes, machine-id files, transaction logs—and show practical techniques to fix each one.

We'll cover:

• Live demo: same Containerfile, different hash—why?
• SOURCE_DATE_EPOCH and timestamp normalization
• The SQLite WAL surprise—and the one-line fix
• A checklist of artifacts to remove for reproducibility
• Verification: rebuilding from SLSA provenance attestations

From Project Hummingbird (70+ container images, SLSA Level 3), we'll show how to achieve bit-for-bit identical rebuilds in your CI/CD pipelines.

Audience: CI/CD engineers, security teams, anyone wondering why their image rebuilds don't match.