Using OpenVM securely requires deterministic program compilation, which enables users to verify that OpenVM binaries correspond to the original programs they are interested in. On the Axiom Proving API, we achieve this by running the compilation process in a Docker container with a fixed single architecture linux/amd64 platform with the riscv32im-risc0-zkvm-elf target. The resulting RISC-V ELF is then transpiled to an OpenVM binary. See the OpenVM documentation for more details about this build process. To replicate a build done on the Axiom Proving API, follow these steps:
  1. Download the program source code (a tar.gz file) and the OpenVM config (a openvm.toml file) from the Axiom Proving API console program page.
  2. Prepare the following files locally:
An executable script (compile.sh), that compiles a program and puts the output in the output directory:
compile.sh
#!/bin/bash

cd YOUR_PROGRAM_NAME  # this is the directory name of your program
cargo openvm build
cp openvm/app.vmexe ../output/
And the Dockerfile. Note that --platform=linux/amd64 on the first line is necessary to guarantee that the build is identical.
Dockerfile
FROM --platform=linux/amd64 rust:1.85.1-bookworm@sha256:e51d0265072d2d9d5d320f6a44dde6b9ef13653b035098febd68cce8fa7c0bc4

# These subcommands must be run in the same command to avoid a cross-device linking error
RUN rustup toolchain install nightly-x86_64-unknown-linux-gnu && \
    rustup install nightly-2025-02-14 && \
    rustup component add rust-src --toolchain nightly-2025-02-14-x86_64-unknown-linux-gnu

RUN cargo install --locked --git http://github.com/openvm-org/openvm.git --tag v1.3.0 cargo-openvm

COPY openvm.toml ./openvm.toml

COPY program.tar.gz ./program.tar.gz
RUN tar -xzf program.tar.gz

COPY compile.sh ./compile.sh

CMD ["./compile.sh"]
  1. And then run these commands:
docker build -f Dockerfile . -t my-reproducible-build:latest

mkdir -p output
docker run -v $(pwd)/output:/output my-reproducible-build:latest
  1. Finally, download the OpenVM exe from the Axiom Proving API console and confirm that it matches what you obtained locally.
diff output/app.vmexe your-downloaded-exe