> I bet you would, though, if the built OS image were 100% reproducible except for the signature.

CryptoSecure, depends how it's done but again neither can be trusted. Especially when you have no control over the silicon running the OS.

I don't trust Linux now. Microsoft got its mits with WSL. RedHat sold-out to IBM and Debian got in bed with Canonical. Arch & Valve I might trust slightly more. They've got to make money somehow /shrug.

I use FreeBSD and I don't trust that either unless I can do make install world, even then I have my suspicions.