All plugins must  be PGP signed by a certificate which is known to the plugin installer subsystems.

Each Plugin has its own "trust store" where the PGP certificates for that plugin are stored.  The trust store is a text file which should contain one or more contain multiple  `PGP PUBLIC KEY BLOCK ` sections (for example the one here).  The trust store is located at %{idp.home}/credentials/pluginid/truststore.asc.  

Having a separate trust store for each plugin ensures that trust cannot "leak" from one plugin to another,

Before installing a plugin you SHOULD

  • Locate the signing certificate(s) for the plugin.
  • Verify them by a suitable out of band trust mechanism.
  • Place them at the required location.

During plugin installation and update the installer will

  1. Check that a certificate which matches the signature is in the trust store
  2. Use that certificate to check the validity of the package
  3. And if it is valid proceed with the install.

The person creating the plugin MAY embed the certificates into the package.  If they have done this and the certificate is not found in the trust store then you will be prompted whether you want to add this certificate to the trust store for this plugin.

something like
INFO [net.shibboleth.idp.installer.plugin.impl.PluginInstaller:274] - TrustStore does not contain signature 0X1483F262A4B3FF0
May I install this certificate:
Certificate:	0X1483F262A4B3FF0
FingerPrint:	4af4d83eeddf43da3c06cb3101483f262a4b3ff0
Username:	Rod Widdowson <> [Ny] 

(Need to add words about this being a silly thing to do)