this post was submitted on 29 Oct 2023
2 points (100.0% liked)

Progressive Web Apps

156 readers
1 users here now

founded 1 year ago
MODERATORS
 

Does anyone know if there are any plans to support signing and reproducible builds with PWAs? Voyager (https://github.com/aeharding/voyager) is now reproducibly built on F-droid, and, naturally, signed for distribution as a native app, which is awesome, but those using the PWA do not have such guarantees.

I honestly don't even know where in the web stack signing and reproducible build support for PWAs would be integrated. Browser level? w3c spec? Or just some open source project that provides tools to build and deploy a webapp in a reproducible and verifiable bundle? idk

Anyways, I guess I just feel like PWAs could benefit from signing and reproducible builds. Imagine clicking "add to homescreen" and seeing a checkbox verifying that the webapp bundle you're installing was built from a specific git SHA and signed by the developer. (This obviously might be too low level for a regular user, but I'm sure some UX sugar could make this better.)

It would also allow for secure app updates - for example, rejecting an update in case the server distributing the PWA is compromised.

What are your thoughts?

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Definitely gonna look into this! I was gonna say that the domain and SSL certificate achieved the same goal as signing/bundling would, but self-hostable PWAs would really benefit from this since that’s not applicable hosted elsewhere. A browser-side implementation would probably be the most robust, but it would be awesome if there was some way to do it without a centralized authority.

[–] aeharding 2 points 1 year ago

Thanks for the reply!

I was gonna say that the domain and SSL certificate achieved the same goal as signing/bundling would, but self-hostable PWAs would really benefit from this since that’s not applicable hosted elsewhere.

Yeah, signing the bundle means it doesn't really matter where or how its distributed, and you don't have to worry about the server hosting it getting compromised. It removes an extra part of the chain in distribution that could be exploited.

The reproducible build part also means that you don't even have to trust the developer - just the code - since you could verify the bundle deployed to the website is built from a specific git SHA available on github or whatever. (But this part only really works for open source projects where the code can be audited by anyone.)