External plugin signing policy
External plugin package indexes always include package SHA-256 checksums. Signature verification is intentionally policy-driven so operators can use their existing signing systems without adding a runtime crypto dependency to Automax.
scripts/check-plugin-index-policy.sh dist/automax-plugins-index.json
To require signature metadata in the index:
AUTOMAX_PLUGIN_INDEX_REQUIRE_SIGNATURE=1 \
scripts/check-plugin-index-policy.sh dist/automax-plugins-index.json
A signature entry is an object with at least type and path fields. Example:
{
"type": "cosign",
"path": "company-plugins.zip.sig"
}
Automax validates the index policy shape and checksum presence. The external trust decision remains with the operator's signing toolchain.