Bitcoin downloads dependencies, checks them against their preconfigured hashes and then builds the different versions (Windows, Linux, Mac) in different VMs. The build is deterministic and thus produce the exact same files for everybody. Everyone signs the files they produced and uploads the signature. If all the signatures are valid for the same file you can be reasonably sure that the build process wasn't tampered with.
Getting deterministic builds even for a project like Bitcoin Core with few dependencies was hard. On the scale of Qubes this would be a monumental task. But maybe Debian's initative for reproducible builds makes this easier in the future.