What are my options to ensure that grapheneos is really compiled from the source code I can see on gibthub? Do I understand correctly that I can only check if it was signed with the original signature?
That would mean that someone who compromises the build environment or has access to the private key could sign and spread a malicious version of grapheneos.
Or is there a way for me to verify that without build grapheneos myself?
Maybe someone can educate me on this topic.