If you use GnuPG on a system with any unverified-build and audited for security compliance software / hardware, can you be certain GnuPG is behaving as expected?
For what it's worth, Debian's gnupg2 package builds reproducibly[0]. That doesn't mean that the Debian-specific patches[1] have necessarily been widely audited though, even if the upstream code itself has enough eyes on it.
Also it's not exactly clear how an end user would discover that the Debian package they installed had a different checksum from the version that was reproducibly built, or if sufficiently independent teams are re-creating these checksums and have a way of notifying people of discrepancies.
You don't need the other software on a system to be audited for security compliance. You just need to know that it is not actively malicious. So any run of the mill Linux or BSD not running proprietary software.
