diff --git a/Dockerfile b/Dockerfile
index 8975a40..3a0a965 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,8 +3,9 @@
 # docs/developer/reproducibility.md.
 
 ARG DEBIAN_IMAGE_DATE=20250224
+ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
 
-FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
+FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
 
 ARG GVISOR_ARCHIVE_DATE=20250217
 ARG DEBIAN_ARCHIVE_DATE=20250226
@@ -185,8 +186,8 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
-# servers added there during image build time.
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any
+# DNS servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
     && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \
diff --git a/Dockerfile.env b/Dockerfile.env
index ac3fcd1..9bde3cf 100644
--- a/Dockerfile.env
+++ b/Dockerfile.env
@@ -1,5 +1,7 @@
 # Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm-
 DEBIAN_IMAGE_DATE=20250224
+# Should be the INDEX DIGEST for the tag with the selected build date
+DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
 # Can be bumped to today's date
 DEBIAN_ARCHIVE_DATE=20250226
 # Can be bumped to the latest date in https://github.com/google/gvisor/tags
diff --git a/Dockerfile.in b/Dockerfile.in
index 050cd2a..14bf7af 100644
--- a/Dockerfile.in
+++ b/Dockerfile.in
@@ -3,8 +3,9 @@
 # docs/developer/reproducibility.md.
 
 ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}}
+ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}}
 
-FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
+FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
 
 ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}}
 ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}}
diff --git a/docs/developer/reproducibility.md b/docs/developer/reproducibility.md
index 934e5a6..f18f198 100644
--- a/docs/developer/reproducibility.md
+++ b/docs/developer/reproducibility.md
@@ -28,6 +28,7 @@ This means that rebuilding the image without updating our Dockerfile will
 Here are the necessary variables that make up our image in the `Dockerfile.env`
 file:
 * `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released
+* `DEBIAN_IMAGE_DIGEST`: The date that the Debian container image was released
 * `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use
 * `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use
 * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin