No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

When installing Pulumi Plugins using "`pulumi plugin install`", how is the executable code verified ?  Through a signature, or a checksum somewhere ?

Looking through the source code I don't see either one ???

It isn't, we mostly download releases from github, which is also where we would get the checksums from so there's no security benefit to verify using those.

Ideally if you were using checksums they would be signed or included in the binary (whose checksum was verified as part of download/build)

Signatures are, of course, more flexible.

I know there were plans to look at binary signing for macos. I don't think anything else is planned, feel free to raise an issue about it.

<https://github.com/pulumi/pulumi/issues/9483>

The current situation is really unsafe and I wouldn't recommend using it.