In Airborn.io, I've solved this by installing some code in a Service Worker, which verifies all updates: http://blog.airbornos.com/post/2017/08/03/Transparent-Web-Ap...

The SW stays installed for when you open the web app the next time, in essence making it a trust-on-first-use scheme.

I'm working on a library: https://github.com/airbornio/signed-web-apps

It would be cool if other web apps (including Graphite?) could implement it too.