There are many known ways to sign binaries and source code - this much is trivial. Auditing changes ad they are committed to the github is also trivial and just takes a bit of time.
Therefore, this is more of a question of how to establish a trustworthy process. Perhaps the client would seek approval from a list of external auditors, before updating itself? There are many options here.
This is way off topic tough, so I hope the mods move this debate. No need to pour FUD in the investment thread.