[MichaelGG]

Stallman is just recommending a way to have scripts self identify as free software. There's nothing that'll help there.

Implementing as an API doesn't help much, and in fact might just make it easier to fake. This is because you have a reduced surface area that you need to check and modify.

It's theoretically impossible if you assume full control of hardware. But most people are not capable of controlling hardware, so secure enclaves and remote attestation are likely to be a legitimate win if feasible.

[rainmaking]

The first statement is untrue: Stallman is also advocating measures to replace obfuscated JavaScript web apps with free versions:

"Browser users also need a convenient facility to specify JavaScript code to use instead of the JavaScript in a certain page. (The specified code might be total replacement, or a modified version of the free JavaScript program in that page.) Greasemonkey comes close to being able to do this, but not quite, since it doesn't guarantee to modify the JavaScript code in a page before that program starts to execute."

As for the second claim, actually implementing as an API does indeed help, because most of the code is then running in the browser and can be audited.

As for the third, the are no known ways to implement secure enclaves and remote attestation, that is what the questioner is asking. If you know of any, do share them.

[MichaelGG]

OK, but unminimized JS still has no bearing on trusted computing.

What about Intel TXT (maybe?) and the upcoming SGX? Although I've not seen details on how the key system works with SGX. But assuming each processor has a unique ID/public key signed by Intel, and assuming we trust Intel and assume it's not profitable/plausible for a darknet to undo Intel's hardware protection, SGX seems to be exactly what the OP is asking for.

[rainmaking]

Yes it does; the current state of the art of trusted computing is indeed "run open source on your own hardware", and unminifed JS does that. It's only, as of now, impractical, because the browser does not help with verification.

I was unaware of Intel SGX; sounds okay in principle, but I would consider the jury out until it's released and a the security community has weighed in.