@zozs yeah reproducible builds were also my first reaction.
Reagarding the multi-stage pipelines: doesn't it kinda hollow-out the idea of a signature system altogether if the person/machine signing the binary didn't builld or at least verify it themselves? And the only real ways I can think to verify that the binary is indeed what it's supposed to be are...
- Checking a signature (not possible; we're trying to verify for the signature)
- Building the binary yourself (would make the exercise pointless)
- Use reproducible builds and check that there are no conflicting hashes in a sufficiently-large pool of peers.
Or am I misunderstanding something here?