When installing Pulumi Plugins using "`pulumi plugin install`", how is the executable code verified ? Through a signature, or a checksum somewhere ?

It isn't, we mostly download releases from github, which is also where we would get the checksums from so there's no security benefit to verify using those.

Ideally if you were using checksums they would be signed or included in the binary (whose checksum was verified as part of download/build)

I know there were plans to look at binary signing for macos. I don't think anything else is planned, feel free to raise an issue about it.