Again, thank you very much. Just tested it and seem to be able to get some very good results indeed. Will look at ways of utilizing it for future versions.
Honestly, I personally feel like only stable releases should find their way into the Installers. Anything else might overcomplicate things. For those brave enough to test a newer version, they may still use the standard VBox import features.
Sadly compiling everything "in one go" is not possible at the moment. Regarding compromise via the toolset, there are multiple things making this rather hard:
1.) I compile nsisbi from source each and every time I build the installer.
2.) VisualStudio (being freshly installed for every version) does sanity checks by itself during download and installation.
3.) Every other file gets verified by me.
4.) I compile each version on multiple independent EC2-Instances which are accessed via a virtual machine to begin with. These are only used once for their respective purpose, then destroyed.
5.) Once compiled, I verify the binary with a fresh and only once used GPG-Key.
6.) Verify and test this version in another, seperate VM on my PC.
7.) Compare the signature from this version to one I got from an installer I simply made on my PC.
8.) Once everything is in order, sign it with my own, permanent GPG key.
The process is rather complicated and takes quite a lot of time, though from what I can see, there seems to be a rather small attack surface.
The easiest way to ensure that there is really no code "in there", which somehow slipped through my compiling procedures, would really be to compile everything by yourself.
Like mentioned, I litterally do not safe anything from any previous compilation. I always start out on what are fresh machines with nothing on them. So I myself can only rely on the source code found and retrieved from Github.
Have a nice day,