This does seem wildly overcomplicated. Here is the attestation system they use: https://github.com/in-toto/attestation/blob/main/spec/README...

Why not Just(TM) enforce a reproducible build process? That brings some of its own challenges, but would represent a real upgrade over building out some Swiss cheese like this.