Sorry but that's just silly. For at least two reasons: 1) A checksum match can only guarantee that the compiled binary matches the supplied sources. Not that the sources are safe and do not contain some hidden gems. 2) A checksum is not going to match anyway. At least in my experience, every time I build something I get a slightly different binary. The compiler embeds things like the build date/time etc.