Feature request: plugin code signing for supply chain integrity

Resolved 💬 5 comments Opened Mar 30, 2026 by iamadalek Closed May 2, 2026

Feature Request: Plugin Code Signing

Description

There is currently no mechanism to verify plugin authenticity or integrity. Plugins are distributed as plain files (markdown, JSON, scripts) with no signing, hashing, or provenance verification.

Problem

  • Users installing plugins from the marketplace have no way to verify the plugin hasn't been tampered with
  • Plugin authors have no way to prove their plugin is authentic
  • No integrity check between what's in the repository and what's loaded by Claude Code/Cowork

Suggested Approach

  1. Allow plugin authors to sign their plugin.json manifest (GPG or similar)
  2. Include content hashes of all plugin files in the manifest
  3. Verify signatures and hashes during plugin installation
  4. Display verification status in the Customize panel

Priority

Low — this is an ecosystem-level concern, not a blocker for current plugin development. But as the plugin ecosystem grows, supply chain integrity will become increasingly important.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗