All plugins must be PGP signed by a certificate which is known to the plugin installer subsystems.
Each Plugin has its own "trust store" where the PGP certificates for that plugin are stored. This is a file inside the IDP installation called %{idp.home}/credentials/pluginid/truststore.asc. This is a text file which should contain one or more contain multiple PGP PUBLIC KEY BLOCK sections. (For example the one here). Having a separate trust store for each plugin ensures that trust cannot "leak" from one plugin to another,
Before installing a plugin you SHOULD
- Locate the signing certificate(s) for the plugin
- Verify them by a suitable out of band trust mechanism.
- Place them at the required location.
During plugin installation and update the installer will
- Check that a certificate which matches the signature is in the trust store
- Use that certificate to check the validity of the package
- And if it is valid proceed with the install.
The person creating the plugin MAY embed the certificates into the package. If they have done this and the certificate is not found in the trust store then you will be promoted whether you want to add this certificate to the trust store for this plugin.
.... TBD
(Need to add words about this being a silly thing to do)