If the JavaScript bundle that is being served is built on a public CI/CD service, it could be possible to do the following, for transparency and verification:
- Include in a header comment: the build URL, Git SHA-1 of the commit, and other metadata
- Sign the bundle using public/secret key cryptography
Having the build URL and sources URL help with discoverability and transparency, while integrity can be verified with the signature.
Adversary models now shift from the bundle provider to the CI/CD platform that runs the build, and any PKI used for the public key for signature verification. If the public key is versioned with the code, it can help reduce trust to a single entity (where the code is stored).
Yes, but there's no provision in the browser to do these kinds of integrity checks. If the browser isn't verifying it there's no point in adding any of this info, because it can be substituted covertly. In principle such 'version-pinning' could be added to the browser, but no-one has done so yet.
- Include in a header comment: the build URL, Git SHA-1 of the commit, and other metadata
- Sign the bundle using public/secret key cryptography
Having the build URL and sources URL help with discoverability and transparency, while integrity can be verified with the signature.
Adversary models now shift from the bundle provider to the CI/CD platform that runs the build, and any PKI used for the public key for signature verification. If the public key is versioned with the code, it can help reduce trust to a single entity (where the code is stored).