One way is to compile it yourself.

Another way is to download it from someone you trust.

If you install say the Ubuntu OS, the developers include a public key with the OS and sign software they produce. Basically every piece of software published by Canonical (the organization behind Ubuntu) has a few extra bytes that say “I approve this software — Canonical” and there’s some fancy math that’s used to verify the message. If the verification passes, you can be confident the software on your computer is byte-for-byte identical to the software on the computer used to generate the approval message.

Canonical (or a hacker / rogue employee with access to the right computer) could theoretically publish malicious software, you’re putting your trust in Canonical to not do that (and guard their computer against hackers or rogue employees).

Whenever they publish a software package, Canonical is basically claiming “Such-and-such software was created by compiling such-and-such source code”. You might think it would be possible for people to write a program that automatically checks these claims by compiling themselves and seeing if the software they got is byte-for-byte identical to the software Canonical published. Unfortunately you have to do a bunch of fiddling with your build system to set it up so that different people compiling the same source code get exactly byte-for-byte identical software. There’s a [whole project](https://reproducible-builds.org/) dedicated to doing that fiddling for every open-source software package offered by major Linux distributors.

You can also tell the Ubuntu OS to trust other software sources. If your friend Bob has a hobby of compiling software, and you trust Bob, you can tell the Ubuntu OS that it’s okay to install software signed with Bob’s key. Then Bob can publish a message “I approve this software — Bob”.