This is most probably due to the difference in build environments, particularly the build path. The environment in which jp2a binary was compiled, is different from the environment on your machine.
When I ran sha256sum on the precompiled binary, I obtained 32a8ed0a470cb1b1b0938fd17351a18df2a559fbbb79873d7455f01ddd544751 jp2a, which
was expected.
But when I recompiled it from sources obtained via apt, and ran sha256sum, I got 541a2c9f97cba6f9732129ca442634ac0206906bd8e9cb2690f4b28e9b8efed0 jp2a, which was different than the hash of the precompiled binary as well as the value you obtained. This is quite possibly due to the fact that none of the build environments are identical.
How can I verify the reproducibility of the binary found in the official Debian GNU/Linux package?
To do this, you have to set up a build environment identical to the one in which the precompiled binary was built. This information should be present in the .buildinfo file. I’ll work on doing this, and post here soon.
Thus, the binary built from source (obtained via apt) is reproducible. But, this hash does not match the hash of the precompiled binary obtained by apt-get install. I’m not sure what is the cause of this difference, but I’ll investigate further.
An update on this. Running diffoscope on the two binaries produced a large output with several (low level) differences, although it wasn’t very clear what was the origin of those differences. I might have to get in touch with the package maintainer to discuss this matter before I can post another update.