@zozs yeah reproducible builds were also my first reaction.

Reagarding the multi-stage pipelines: doesn't it kinda hollow-out the idea of a signature system altogether if the person/machine signing the binary didn't builld or at least verify it themselves? And the only real ways I can think to verify that the binary is indeed what it's supposed to be are...

1. Checking a signature (not possible; we're trying to verify for the signature)
2. Building the binary yourself (would make the exercise pointless)
3. Use reproducible builds and check that there are no conflicting hashes in a sufficiently-large pool of peers.

Or am I misunderstanding something here?