Yeah there is support for API notarization, so in principle you could have an audit trail that some automated build process got a specific notary result that's "stapled" to the app. I'm not familiar enough to say how trustworthy that approach is, or what exactly you'd need to prove it. And yes, aim for a reproducible build that produces assets with checksums that can be matched to the distributed one.
The mitigation is if someone finds out a (notarized) download is compromised, they can tell Apple and they can retroactively and quickly revoke the signing which is distributed via Gatekeeper. Other users should get the warning if they had previously run the app without an issue.
The mitigation is if someone finds out a (notarized) download is compromised, they can tell Apple and they can retroactively and quickly revoke the signing which is distributed via Gatekeeper. Other users should get the warning if they had previously run the app without an issue.