> you can be certain

To be precise: If it works as described, it makes it (a little? substantially? orders of magnitude?) more difficult for third parties to modify the code.

"Certain" is not a word used in security, IME.

Very true. You probably still need to trust that the developers' Github accounts aren't compromised. I was looking at their repo[0] for this Service Worker verification, and their "So what's the problem this solves?" section confuses me, as it doesn't explain the how. :/

[0] https://github.com/airbornio/signed-web-apps

While a hacker gaining access to the developers' GitHub account would be bad, they would still have to actually push the malicious code to GitHub before they can serve it from airborn.io. So, if people pay attention to pushes to GitHub, this attack could still be detected (but not prevented). For prevention, one possibility would be to require all commits to have been on GitHub for at least 24h or so. Then, the devs would have some time to try and get their accounts back. We don't implement that today, though.

That section attempts to explain how web apps work today, if you don't use that library. Reading the entire thing back, I agree that the how is never explained very well, although https://www.airborn.io/docs/security does explain it.

This is pretty revolutionary. Servers sending bad code is one of the biggest set-backs to JS crypto being useful.