This is why projects like Reproducible Builds are so important. Basing all of your security on a company's signature on proprietary code is too risky.
I elaborate on some ways to protect the digital supply chain while borrowing metaphors from the food industry in this post: https://puri.sm/posts/protecting-the-digital-supply-chain/
