archseer
commented
2 years ago We weren't able to use anchor build --verify on the CI because it expects to spawn it's own Docker container, but it's already running in a container. It ends up building nothing and just failing. I think the environment is deterministic enough though (since we're building inside projectserum/build, which is what --verifiable does), we just need to validate if the sha256 matches a local anchor build --verifiable output.
There is no Etherscan on Solana that we could use to publicly verify deployed contracts, but maybe we could add a public helper script using Anchor Verifiable Builds so users could verify themselves, or CI could do it for them and report it.
Resources: