Web 
With Chrome and ChromeOS 128, a new and powerful way of creating web apps for ChromeOS (and in the future, cross-platform apps) has emerged: Isolated Web Apps (IWAs).
IWAs introduce a novel approach to the security and installation of web apps. Unlike Progressive Web Apps—which are primarily websites—Isolated Web Apps are signed and versioned web bundles containing all the code within them and are designed to work independently of any web server.
However, this model presents a challenge not faced by current web apps: the proper management of signing keys. Since the Web Bundle ID of an Isolated Web App is directly derived from the key used for signing the web bundle, reusing one key to identify multiple apps is not feasible. Additionally, if the key is compromised, it becomes a troublesome situation as changing the Web Bundle ID essentially creates a new app that does not override the old one and cannot be distributed as an update. Methods to resolve this by rebinding the bundle ID to another key are planned but should be considered a last resort rather than a regular key rotation practice.
Effective Key Management Systems—ideally those that do not allow the retrieval of private keys—can be invaluable in this endeavor. The wbn-sign NPM package and its integrations in webbundle-webpack-plugin and rollup-plugin-webbundle, which provide end-to-end signing of web bundles, demonstrate the necessary functionality. They can be utilized by implementing wbn-sign’s ISigningStrategy interface with methods for signing and retrieving a public key. The GCPWbnSigner class from the wbn-sign-gcp-kms NPM package serves as an example of doing this by leveraging GCP KMS signing features. You can find its sample integration with a webpack-based IWA build workflow in the Web Smart Card API Demo project.
If you are unfamiliar with Isolated Web Apps, please refer to the getting started guide. Try to use the above tools to integrate your app signing with your preferred KMS!