And how did you build TWRP from source or where do you get a reproducible TWRP build from? When I checked some month ago, there was pretty much no documentation available on how to build TWRP from source for my phone. The pre-build TWRP binaries were not reproducible.

I just use the prebuilt binaries. But saying it comes from "some anonymous haxxor" isn't fair to TWRP. The situation is no different from the vast majority of binaries we run (unless if you run gentoo maybe, but if you don't audit all sources I don't see how this adds value).