If you have deterministic full source bootstrapped builds, it gets pretty simple and all of the third party trust can go away.

You build it, I build it, we get the same hash. It allows anyone to prove a published binary is a faithful compilation of given input source code.