To allow loading remote configuration or even java script modules there should be a way to confirm origin of downloaded file to prevent 'man in the middle attacks'. Files loaded from remote location should bear GPG signature that installer should verify before proceeding with loaded file.

This should be possible with https://github.com/openpgpjs/openpgpjs using https://openpgpjs.org/openpgpjs/doc/index.html using 'Create and verify detached signatures'.

The Idea is to sign .json of .js file with GPG and then download it ad separate json/js code from the signature, verify it and then proceed with loading .json or js module form string.