Let's say HonestInc is super generous and provides the source code of its web application HonestApp on github. However, I'm extremely distrustful of them, and have doubts that their actual server is running the same source code as what is provided on github, as it is trivial to maintain changes between the published code and server-side code.
Assuming HonestInc is generous enough to give me read access to everything on their server, and gives me SSH credentials to log into said server and have a look around. However, I still doubt that the server they gave me access to actually is not the server running the public application.
In the case of a binary, checking the authenticity of the source code can be as simple as compiling the code and diff
ing it against the binary to be run, but this is a service running on someone else's server.
Is it possible, with an extremely generous owner, to verify that the provided source code is the same code being run on the service?