Skip to content

External plugin signing policy

External plugin package indexes always include package SHA-256 checksums. Signature verification is intentionally policy-driven so operators can use their existing signing systems without adding a runtime crypto dependency to Automax.

scripts/check-plugin-index-policy.sh dist/automax-plugins-index.json

To require signature metadata in the index:

AUTOMAX_PLUGIN_INDEX_REQUIRE_SIGNATURE=1 \
  scripts/check-plugin-index-policy.sh dist/automax-plugins-index.json

A signature entry is an object with at least type and path fields. Example:

{
  "type": "cosign",
  "path": "company-plugins.zip.sig"
}

Automax validates the index policy shape and checksum presence. The external trust decision remains with the operator's signing toolchain.