This work addresses the critical challenge of ensuring that compiled binaries genuinely originate from their claimed source code—a cornerstone of software supply chain security. It introduces, for the first time, a zero-knowledge virtual machine (zkVM) into the compilation process by executing the ChibiCC compiler within the RISC Zero zkVM. This approach simultaneously produces the binary artifact and a cryptographic proof, establishing an end-to-end verifiable provenance chain without requiring replay of the build environment. By doing so, it overcomes the limitations of traditional reproducible builds and effectively mitigates threats such as compiler substitution, source or output tampering, and replay attacks. The feasibility and security of the proposed method are empirically validated on 200 synthetic programs and 52 real-world open-source libraries, including OpenSSL and libsodium.

Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult matching and reexecution of build toolchains and environments. We propose a novel approach to verifiable provenance based on compiling software with zero-knowledge virtual machines (zkVMs). By executing a compiler within a zkVM, our system produces both the compiled output and a cryptographic proof attesting that the compilation was performed on the claimed source code with the claimed compiler. We implement a proof-of-concept implementation using the RISC Zero zkVM and the ChibiCC C compiler, and evaluate it on 200 synthetic programs as well as 31 OpenSSL and 21 libsodium source files. Our results show that zk-compilation is applicable to real-world software and provides strong security guarantees: all adversarial tests targeting compiler substitution, source tampering, output manipulation, and replay attacks are successfully blocked.