So the regulators have to use the provided virtual machine and tools to build the source, and verify that the resulting binary is the same as provided by your company?
How do they confirm that the toolchain has not been messed with? Surely they can't binary-check the whole OS/compiler/linker/other software in the VM?
How do they confirm that the toolchain has not been messed with? Surely they can't binary-check the whole OS/compiler/linker/other software in the VM?