I’m currently developing a plugin and want to sign it using the IntelliJ-recommended Plugin Signing process. We are currently using a different signing method.
According to the documentation, if a plugin is unsigned or signed with a revoked certificate, the IDE will display a warning dialog during installation.
I followed the documented steps and generated a signed ZIP under build/distributions/*-signed.zip.
How can I verify that the plugin is correctly signed? I executed the verifyPluginSignature task and got BUILD SUCCESSFUL. But Also, what kind of warning should I expect if it isn’t properly signed using IntelliJ’s recommended process?
Is the below warning that we are expecting?
But even when I installed the signed zip I am getting this warning.
Does anyone know what kind of warning I should expect if the plugin isn’t signed correctly? Also, is running the verifyPluginSignature task and seeing a BUILD SUCCESSFUL result enough to confirm that the signing is properly configured?
Thanks!
I second this question.
According to Plugin Signing | IntelliJ Platform Plugin SDK, we can’t upload our public key (not yet). So, how does the Marketplace or the IDE verifies signed plugins?
I just want to be sure I fully understand the entire workflow before implementing it.
Thanks
Do we have some news?
I still don’t understand why we would sign plugins if we don’t share the public key. Isn’t it weird?
Thx
One more thing: I tried to sign a plugin via the cli (Plugin Signing | IntelliJ Platform Plugin SDK), but there is no difference between the original jar and the signed jar (same checksums). The containing Zips have a different size (I guess different compression ratios), the jar files inside are identical.
The signing process competed with no error, the verification did not reveal any error or warning. Meanwhile, it’s like it signed nothing.
What I did exactly:
- I built my plugin:
gradlew buildPlugin
- then I signed the generated Zip:
java -jar C:\Projects\ij-plugins-certs\marketplace-zip-signer-cli.jar sign -in "C:\Projects\ij-extra-tools-pack\build\distributions\Extra Tools Pack lifetime 2026.1.7.zip" -out "C:\Projects\ij-extra-tools-pack\build\distributions\Extra Tools Pack lifetime 2026.1.7-signed.zip" -cert-file "C:\Projects\ij-plugins-certs\jb_plugins_chain.crt" -key-file "C:\Projects\ij-plugins-certs\jb_plugins_private.pem" -key-pass "my strong password"
- finally, I checked the signed file:
java -jar C:\Projects\ij-plugins-certs\marketplace-zip-signer-cli.jar verify -in "C:\Projects\ij-extra-tools-pack\build\distributions\Extra Tools Pack lifetime 2026.1.7-signed.zip" -cert "C:\Projects\ij-plugins-certs\jb_plugins_chain.crt"
I generated my keys this way:
openssl genpkey -aes-256-cbc -algorithm RSA -out jb_plugins_private_encrypted.pem -pkeyopt rsa_keygen_bits:4096
openssl rsa -in jb_plugins_private_encrypted.pem -out jb_plugins_private.pem
openssl req -key jb_plugins_private.pem -new -x509 -days 3650 -out jb_plugins_chain.crt
I’m completely lost.
If my understanding is correct, plugin signing doesn’t work, and even if it worked, its current implementation (users/IDE still can’t access the public key) would be useless?
