You can argue that you can check the checksum of the application's package, but you are then trusting the developer to have compiled the right code and provided the right signature.
Is there a way to verify this trustlessly, or is it impossible?
Thanks!
If you really need to be sure, nothing beats building the program from the source code yourself...
However, in general, you trust your distribution to package and distribute "the right version" of the software for you. That's part of the choice of a distribution. It is not uncommon for these packages to have distribution specific patches (for example, back-porting security fixes to earlier versions of a software). However, your distribution is the people you trust to give you the whole operating system, and the means to install more packages.
Following that logic of trust, checking the signature of the package you get from the repository (that is generally done automatically anyway) should be sufficient.
If you are not trusting one piece of software like that, think about your Linux kernel, or your graphics server, or your web browser...
