Reproducible builds are for developers. As a user I didn't build the app on my phone.

I have a phone with Signal on it. Tell me what I should do to verify it's running the open source Signal code.

You should check out Session. Their CTO apparently uses his PGP key to sign every release https://twitter.com/session_app/status/1514108746854985730

If you, as a user, are concerned about reproducibility, you are no longer an average user. Thus, if you want this extra security, you can be expected to check the APK on your phone.

Not perfect chain of custody but could report to virustotal (virustotal.com) and compare in a sandbox:

https://play.google.com/store/apps/details?id=com.funnycat.v...

Maybe you could figure this out yourself, and share your findings, rather than demanding answers from others?

Reproducible builds benefit the user by allowing independent checks of the software.

That page says:

> the Signal Android codebase includes some native shared libraries that we employ for voice calls (WebRTC, etc). At the time this native code was added, there was no Gradle NDK support yet, so the shared libraries aren’t compiled with the project build.

Also, assuming you trust the client, how to tell if the Signal server is running the published code, especially given Signal's track record of (not) publishing its source code?

https://linuxreviews.org/Signal_Appears_To_Have_Abandoned_Th...

Signal server is explicitly untrusted in the Signal threat model, which is must be due to being based in a country (like any other country) with laws that can be used to compel actions on the server's owners. They publish legal orders they receive and their responses.

A related project that is also necessary for this, Bootstrappable Builds:

https://bootstrappable.org/

Otherwise somewhere in the chain you are relying on binaries of unknown provenance.