I never checked the source code of Qubes OS 
There is a note about this in the docs:
Please note that AIs often hallucinate about Qubes OS. If you’re using an AI to assist you, please check its conclusions against the official documentation.
And also:
The general idea of “comparing fingerprints” is to go out into the world (whether digitally, physically, or both) and find other 40-character strings purporting to be the QMSK fingerprint, then compare them to your own purported QMSK fingerprint to ensure that the sequence of alphanumeric characters is exactly the same (again, regardless of spaces or capitalization). If any of the characters do not match or are not in the same order, then at least one of the fingerprints is a forgery. Here are some ideas to get you started:
- Check the fingerprint on various websites (e.g., mailing lists, discussion forums, social media, personal websites).
- Check against PDFs, photographs, and videos in which the fingerprint appears (e.g., slides from a talk, on a T-shirt, or in the recording of a presentation).
- Ask people to post the fingerprint on various mailing lists, forums, and chat rooms.
- Download old Qubes ISOs from different sources and check the included Qubes Master Signing Key.
- Repeat the above over Tor.
- Repeat the above over various VPNs and proxy servers.
- Repeat the above on different networks (work, school, internet cafe, etc.).
- Text, email, call, video chat, snail mail, or meet up with people you know to confirm the fingerprint.
- Repeat the above from different computers and devices.