Does building two exact matching C# projects on different computers always generate the same executable?

Question

This is assuming both computers have copied the exact same C# .NET project from one computer to the other. When you build the projects on both computers, are the executables exactly the same? If not, what's the difference?

The reason I ask is so source code can be validated as matching an executable. This is to assure users that are willing to build the program themselves that it's an exact match.

Answer 1

To quote Eric Lippert:

No.

Well, that was an easy blog to write.

There is a GUID called the "Mvid" included when you build, to ensure that each build is different. Also, the C# compiler is not guaranteed to write the same instructions each time you run it. But in practice, in similar enough environments (for some definition of "similar"), I'd expect it to.

You can tell your users about this, and allow them to check for differences. If the only difference is in the Mvid, then they're done. If there are other changes, then they'd need to examine the functionality of the IL code to make sure that it is equivalent to yours. (this can be made easier with a decompiler like ILSpy)

If they're that paranoid, the best bet is probably just to build from the source themselves every time, and use their own build. But I do understand the usefulness of being able to audit it, e.g. you'd want to know that the official TrueCrypt or Bitcoin clients are legit.