Integrity without confidentiality is trivial.
How so? Your ISP is still the channel over which the integrity information is sent. Why couldn't they just swap the SRI hashes as well?
You could sign the content with the same CA architecture we already use to encrypt it, but leave it plain text (just a thought.)
A browser could render a similar security warning to what it already does, if the signature doesn’t match or if the hash is wrong.
Right, I didn't thank about that part. They could technically replace it with another valid certificate, but if you're looking for specific certificates you will notice immediately.
Well, an ISP that wants to MITM your traffic today can present another valid certificate too, nothing changes there. It’s just that they couldn’t use a valid certificate that has the same Common Name (FQDN) as the site you’re connecting to, without having their root CA in your browser’s store (so, same behavior as we already have with TLS.) Presenting a cert with a different FQDN already causes a browser warning.
Yep, you're right, I had a brainfart there. Thanks for being nice and explaining it! :)
Well, it still involves some kind of public key infrastructure, but encryption could be optional even in https. Linux distros have been hosting their packages on plain http for two decades, PGP signatures (again, not a great example of "trivial", I admit) were sufficient to ensure integrity.
Also, a lot of ISPs blackbox caching proxies were buggy and breaking websites.