How to audit this repo?

[lattice0]

If I understood correctly, the FetchMacOS project downloads a fresh BaseSystem.img directly from apple servers, and then we emulate this BaseImage.img which in turn downloads the rest of the system?

So in order to audit everything, I coud simply audit the FetchMacOS script, certify it's downloading from apple servers. Then audit dmg2img, and finally audit firmware/, or better, simply download or compile the firmware from the original project: https://www.linux-kvm.org/page/OVMF

By the way, which OVMF should I download/compile? I think this is the only hard part. Anybody has any idea?