This is why projects like Reproducible Builds are so important. Basing all of your security on a company's signature on proprietary code is too risky.
I elaborate on some ways to protect the digital supply chain while borrowing metaphors from the food industry in this post: https://puri.sm/posts/protecting-the-digital-supply-chain/
@kyle Very interesting and shocking at the same time. Makes you wonder how things evolve in the near future where software still gets more important every day... Thanks for sharing.