Does anyone know if there are any plans to support signing and reproducible builds with PWAs? Voyager (https://github.com/aeharding/voyager) is now reproducibly built on F-droid, and, naturally, signed for distribution as a native app, which is awesome, but those using the PWA do not have such guarantees.

I honestly don’t even know where in the web stack signing and reproducible build support for PWAs would be integrated. Browser level? w3c spec? Or just some open source project that provides tools to build and deploy a webapp in a reproducible and verifiable bundle? idk

Anyways, I guess I just feel like PWAs could benefit from signing and reproducible builds. Imagine clicking “add to homescreen” and seeing a checkbox verifying that the webapp bundle you’re installing was built from a specific git SHA and signed by the developer. (This obviously might be too low level for a regular user, but I’m sure some UX sugar could make this better.)

It would also allow for secure app updates - for example, rejecting an update in case the server distributing the PWA is compromised.

What are your thoughts?