> That's kind of a shame. It would be nice if apps distributed over the web could be signed the same way they are from repositories.
This sounds like a theoretical impossibility. The server's source code is by nature closed, and while the server could provide you a copy of the source with a signature, there's really no way for you to verify that the code you've been promised is the code that is running.
A browser feature would be required that could calculate/display the hash of the delivered code and optionally verify it against a 3rd party server. Ideally you'd want have particular versions signed as "audited" etc.
You're neglecting the server-side code. If you have access to the full source code to verify it, you're not describing a web service, you're describing a local application that happens to be implemented in a browser.
You already can distribute signed browser add-ons.
That's kind of a shame. It would be nice if apps distributed over the web could be signed the same way they are from repositories.
> Not to mention that the browser itself presents a pretty large attack surface.
As does the operating system itself. I would have thought with a local (likely native) client, you just have one less layer to get through.