I am looking for something like Git but for binaries where I can prove the validity of binaries in some repository (artifactory,Nexus,…) or via it’s own repository that the binaries are valid artifacts and maybe also how they derived from other artifacts.

e.g. having a merkle tree of different binaries and their derivations.

Is this in some way possible? Is this what Git lfs will do? Or do I need Bazel for this? How does NixOS or Gnu Guix fit into this?