Clarification regarding code signing for plugins in the JetBrains marketplace

IntelliJ Platform Plugin Verifier
1

I’m currently developing a plugin and want to sign it using the IntelliJ-recommended Plugin Signing process. We are currently using a different signing method.

According to the documentation, if a plugin is unsigned or signed with a revoked certificate, the IDE will display a warning dialog during installation.
I followed the documented steps and generated a signed ZIP under build/distributions/*-signed.zip.

How can I verify that the plugin is correctly signed? I executed the verifyPluginSignature task and got BUILD SUCCESSFUL. But Also, what kind of warning should I expect if it isn’t properly signed using IntelliJ’s recommended process?

Is the below warning that we are expecting?
But even when I installed the signed zip I am getting this warning.

image
image872×140 11.4 KB

2

Does anyone know what kind of warning I should expect if the plugin isn’t signed correctly? Also, is running the verifyPluginSignature task and seeing a BUILD SUCCESSFUL result enough to confirm that the signing is properly configured?

Thanks!

3

I second this question.
According to Plugin Signing | IntelliJ Platform Plugin SDK, we can’t upload our public key (not yet). So, how does the Marketplace or the IDE verifies signed plugins?
I just want to be sure I fully understand the entire workflow before implementing it.
Thanks