That’d be up to you when you supplied the client/database details to the end user. Presumably it’d have to have some legal blahblahblah at the start saying that the responsibility for the games was in the users own hands and the liability was the game author’s or something.
You could only accept JNLPs that are sandboxed and only support a selection of signed extensions hosted on your server (for instance most of my games are now unsigned and depend on my signed Slick extension).
Alternatively you could enforce that only “real” certificates are being used to sign things. Rarely do people looking to hack up player’s systems want to splash out for a real cert.
The signatures are checked on the JARs where required and sandbox is enforced where not, just the user isn’t prompted to approve the certificate - since they’ve already said they want to download and play the game (as you said). So in answer to the first question I suppose you could say you’re just confirming that the certificates are “real”.
Oh, and it’s only really a prototype hack thing. Not sure it’s even viable as an actual games database. Just something that seemed worth doing for a few days 
Kev