Legitimately, if you used ex. Ethereum to compile your code could actually prove that a given executable was compiled from given source. Otherwise the only way to verify a build is to build it yourself and check the hashes. Signing just verifies that the build came from a given person, not that they used the source code they say they did.
This was one of the interesting use cases I thought about when I dug into crypto.
The signature doesn't have to be from the developer; it could be a signature from google that marks the extension was compiled from/matches the specified source. If you're running chrome and installing extensions from the chrome web store you're trusting google already.
As evinced by the article, the web store isn't perfectly trustworthy but this kind of validation could be done automatically and I do trust their ability to automate.
If Google compiled the extensions that would work. Seems like it would take a lot of standardization to make that possible. But in principle that would certainly be better than the current situation.
How would this work on a blockchain? The best I could come up with is "check that a bunch of other nodes built it and came up with the same result", or "use a trusted execution environment (SGX or TZ) to build it".
One expensive way that would work would be to write a compiler in Solidity. There might be better ways involving breaking up the code and splitting it up between compute resources like on Golem. By the standards of common blockchain cryptographic security I'm pretty skeptical of SGX and the like.
So if you could build a perfectly efficient compiler that did not create any additional overhead, if the normal compilation took about a second or two (or any longer) to run locally. Then you would run waaay over the gas limit.
That also means such a thing would cost way more than 10 dollars to run.
Yeah, super expensive for sure. But in principle possible - I'm sure there are smarter ways to do it. I could also see some users willing to pay ~$1K or more. A big company committed to high-security, open source firmware for their routers, for example, could benefit a lot by being able to demonstrate to their customers that they use a given (ideally highly readable for auditing purposes) source code and that the updates they receive really use that source. I don't think there's a means to enable that sort of cryptographic verification currently without every interested end user rebuilding the source.
This was one of the interesting use cases I thought about when I dug into crypto.