For example you have email web app with E2E encryption. With client side E2E encryption you don't need to trust server with your data, but you definitely have to trust client.
But here comes problem, because client is distributed from server you don't want to trust and each page refresh can download new code from server.
You need somehow to check if client is not made malicious by attacker or whoever.
With code signing you can do two things:
- check if code was signed by developer and block downloading new source if not
- or even more (advanced), verify that that signed build you are downloading is actually build, which is published somewhere and can be audited.
Some dirty solution can be spinning up home server just to download web app to your device and let service workers cache everything relevant. And then turn off server to prevent any updates to app.
This is of course not very user friendly, but might have some use, if you can't or don't want to have running server 24/7 at your home or secure location.
But I don't know, if any browser will let offline apps live for indefinite time.
I was even playing with code signing web apps with help of service workers, which was not bullet proof, but better than nothing. Ultimately it failed on the fact, that you could not prevent/cache/block update of actual service worker file.
Another dirty workaround could be using dynamic one time address for serving service worker only on first attempt and then browser would get 404 on attempts to update service worker. Again, not very useful as you are at mercy that browser won't just purge such "broken" worker.
Thank you. Yes, as @gnabgib pointed, you can use it directly from included repositories (static React sites with Node.js server). I can add some basic guide to docs as alternative setup.
For example you have email web app with E2E encryption. With client side E2E encryption you don't need to trust server with your data, but you definitely have to trust client.
But here comes problem, because client is distributed from server you don't want to trust and each page refresh can download new code from server.
You need somehow to check if client is not made malicious by attacker or whoever.
With code signing you can do two things: - check if code was signed by developer and block downloading new source if not - or even more (advanced), verify that that signed build you are downloading is actually build, which is published somewhere and can be audited.