The security of software builds has attracted increased attention in recent years in response to incidents like solarwinds and xz. Now, several companies including Oracle and Google rebuild open source projects in a secure environment and publish the resulting binaries through dedicated repositories. This practice enables direct comparison between these rebuilt binaries and the original ones produced by developers and published in repositories such as Maven Central. These binaries are often not bitwise identical; however, in most cases, the differences can be attributed to variations in the build environment, and the binaries can still be considered equivalent. Establishing such equivalence, however, is a labor-intensive and error-prone process.

While there are some tools that can be used for this purpose, they all fall short of providing provenance, i.e. readable explanation of why two binaries are equivalent, or not. To address this issue, we present daleq, a tool that disassembles Java byte code into a relational database, and can normalise this database by applying datalog rules. Those databases can then be used to infer equivalence between two classes. Notably, equivalence statements are accompanied with datalog proofs recording the normalisation process. We conduct a large-scale evaluation on 2,714 pairs of jars, consisting of 265,690 class pairs, and compare daleq with two existing bytecode transformation tools: the standard Java disassembler javap and jnorm. Our results show that daleq outperforms these tools by reporting more artifacts rebuilt from the same code as equivalent, when they do not exhibit any behavioral differences. Daleq is an open-source tool, and is available at https://github.com/binaryeq/daleq/.