There are some efforts [1] to make reproducible builds really work, also nix guys have some experience with them, as others have noted. Isolated deterministic environments and stripping binaries/archives (strip-nondeterminism tool) [2] generally do the trick.
As well as supporting work to help independent verification of the "chain of custody". There's 25 of those under that label, if you use the search box.
"Investigate how we can allow users to independently verify/authenticate a final buildpack" (https://www.pivotaltracker.com/story/show/104469634)
"Explore: Compiled binaries should be reproducible" (https://www.pivotaltracker.com/story/show/104746074)
"determine whether the libfaketime reproducible build strategy will work across all of our binaries" (https://www.pivotaltracker.com/story/show/107752798)
"Investigate Why are our node builds not reproducible?" (https://www.pivotaltracker.com/story/show/128161137)
As well as supporting work to help independent verification of the "chain of custody". There's 25 of those under that label, if you use the search box.