The difference is that if a server running HTTPS is hacked, the attacker can modify the JavaScript at will. With an app that's signed offline, this isn't possible; you could even redistribute it on an untrusted mirror.
Also, in theory, an independent auditor could rebuild the app from source and verify that the bits match, and do an independent audit of the source. So signed apps are more verifiable.
The trusted base for a signed app is (browser + app + app signer), not (browser + app + server), where the server might be a virtual machine in the cloud and you need to trust the virtual machine host provider too.
This doesn't matter most of the time because you have to trust the server anyway, but in the case of someone wanting to encrypt something on the client that cannot be decrypted on the server, it does matter. Encrypting on the client is mostly pointless unless the client code is independent of the server, which requires it to be independently signed.
There is still a cert chain of course, but it's a different one where the developer's private key doesn't get uploaded to the server.
Signed apps are fundamentally not how the web works. The argument here is that the web is basically broken for client-side encryption and the app store model is better for things like secure email or a bitcoin wallet.
But since most app store apps aren't open source and the open source ones aren't independently audited in practice, it's not clear it's a practical difference.
Also, in theory, an independent auditor could rebuild the app from source and verify that the bits match, and do an independent audit of the source. So signed apps are more verifiable.
The trusted base for a signed app is (browser + app + app signer), not (browser + app + server), where the server might be a virtual machine in the cloud and you need to trust the virtual machine host provider too.
This doesn't matter most of the time because you have to trust the server anyway, but in the case of someone wanting to encrypt something on the client that cannot be decrypted on the server, it does matter. Encrypting on the client is mostly pointless unless the client code is independent of the server, which requires it to be independently signed.
There is still a cert chain of course, but it's a different one where the developer's private key doesn't get uploaded to the server.
Signed apps are fundamentally not how the web works. The argument here is that the web is basically broken for client-side encryption and the app store model is better for things like secure email or a bitcoin wallet.
But since most app store apps aren't open source and the open source ones aren't independently audited in practice, it's not clear it's a practical difference.