Feature request: plugin code signing for supply chain integrity
Resolved 💬 5 comments Opened Mar 30, 2026 by iamadalek Closed May 2, 2026
Feature Request: Plugin Code Signing
Description
There is currently no mechanism to verify plugin authenticity or integrity. Plugins are distributed as plain files (markdown, JSON, scripts) with no signing, hashing, or provenance verification.
Problem
- Users installing plugins from the marketplace have no way to verify the plugin hasn't been tampered with
- Plugin authors have no way to prove their plugin is authentic
- No integrity check between what's in the repository and what's loaded by Claude Code/Cowork
Suggested Approach
- Allow plugin authors to sign their
plugin.jsonmanifest (GPG or similar) - Include content hashes of all plugin files in the manifest
- Verify signatures and hashes during plugin installation
- Display verification status in the Customize panel
Priority
Low — this is an ecosystem-level concern, not a blocker for current plugin development. But as the plugin ecosystem grows, supply chain integrity will become increasingly important.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗