This feature provides web developers with a mechanism to verify the provenance of resources they depend upon, creating a technical foundation for trust in a site's dependencies. In short: servers can sign responses with a Ed25519 key pair, and web developers can require the user agent to verify the signature using a specific public key. This offers a helpful addition to URL-based checks offered by Content Security Policy on the one hand, and Subresource Integrity's content-based checks on the other.
To protect themselves from code injection, developers can restrict themselves to loading script from certain URLs and certain `<script>` elements (through Content Security Policy), and to loading script whose content is well-known (through Subresource Integrity). These satisfy a large number of use case, but fail to satisfy others (particularly supply chain integrity for dynamic resources). Signatures reasonably address this hole, nicely complementing the existing mechanisms.
Explainers: https://github.com/WICG/signature-based-sri