You should replace `${pkgs.coreutils}/bin/git` with `${lib.getExe pkgs.git}`

- there is `nix store verify` that re-downloads all packages and checks that both copies of every package match

- same hash __could__ contain different contents if build is somehow not reproducible. Builds are sandboxed and this eliminates most sources of randomness, but several loopholes exist (e. g. random numbers or current time).

- Yes, but nixpkgs maintainers try hard to make everything reproducible.