> - is this actually the binary that comes from that code?
Reproducible Builds that are also Bootstrappable Builds, starting from a minimal auditable machine code seed.
https://reproducible-builds.org/ https://bootstrappable.org/ https://lwn.net/Articles/983340/ https://stagex.tools/
> - is that code trustworthy?
Socially distributed code auditing:
https://github.com/crev-dev/
> - is this binary trustworthy?
The other two combined should provide this.