[FEATURE] Plugin signing and integrity verification

Resolved 💬 5 comments Opened Mar 1, 2026 by alexeyv Closed Apr 30, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Plugins execute with full user permissions — shell access, file system, hooks — but are distributed with no cryptographic signing or integrity verification.

When a user runs claude plugin install or claude plugin update, there is no check that the content is authentic, untampered, or published by the claimed author. A compromised marketplace repo silently delivers malicious content to every consumer who updates.

Proposed Solution

At minimum:

  • Content hash pinning: record a hash at install time, verify on load, warn if content changed without a version bump
  • Publisher signature verification: allow marketplace owners to sign releases with a key declared in the manifest, reject updates that fail verification

Alternative Solutions

Every major package ecosystem has addressed this: npm (Sigstore provenance), Docker (Content Trust), VS Code (VSIX signatures), macOS (code signing), PyPI (PEP 740 attestations).

Currently there is no workaround. Consumers must blindly trust that marketplace repos have not been compromised.

Related issues: #28879, #5984

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

  1. Organization hosts an internal plugin marketplace as a git repo
  2. A maintainer account is compromised or the repo is pushed to by an attacker
  3. Developers across the org run claude plugin update
  4. Malicious hooks and skills silently activate with full shell access
  5. No verification fails, no warning is shown
  6. With signing, the update would be rejected because the content does not match the publisher key

Additional Context

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗