{"id":48690364,"url":"https://github.com/salesforcecli/plugin-trust","last_synced_at":"2026-05-23T14:01:09.245Z","repository":{"id":37980338,"uuid":"313396894","full_name":"salesforcecli/plugin-trust","owner":"salesforcecli","description":null,"archived":false,"fork":false,"pushed_at":"2026-05-09T03:56:52.000Z","size":9406,"stargazers_count":2,"open_issues_count":4,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-05-09T05:42:20.564Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salesforcecli.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-11-16T18:49:13.000Z","updated_at":"2026-05-09T03:56:18.000Z","dependencies_parsed_at":"2022-08-08T22:45:29.762Z","dependency_job_id":"e8ee3f57-7069-45a6-ac5c-0df60c128287","html_url":"https://github.com/salesforcecli/plugin-trust","commit_stats":{"total_commits":329,"total_committers":19,"mean_commits":17.31578947368421,"dds":"0.42553191489361697","last_synced_commit":"5670a37478895950df35e1b78d8626c5d2c7f052"},"previous_names":[],"tags_count":285,"template":false,"template_full_name":"salesforcecli/plugin-template","purl":"pkg:github/salesforcecli/plugin-trust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforcecli%2Fplugin-trust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforcecli%2Fplugin-trust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforcecli%2Fplugin-trust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforcecli%2Fplugin-trust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salesforcecli","download_url":"https://codeload.github.com/salesforcecli/plugin-trust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforcecli%2Fplugin-trust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33398391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T04:15:53.637Z","status":"ssl_error","status_checked_at":"2026-05-23T04:15:53.242Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-11T05:13:36.314Z","updated_at":"2026-05-23T14:01:09.240Z","avatar_url":"https://github.com/salesforcecli.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# plugin-trust\n\n[![NPM](https://img.shields.io/npm/v/@salesforce/plugin-trust.svg?label=@salesforce/plugin-trust)](https://www.npmjs.com/package/@salesforce/plugin-trust) [![Downloads/week](https://img.shields.io/npm/dw/@salesforce/plugin-trust.svg)](https://npmjs.org/package/@salesforce/plugin-trust) [![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/license/apache-2-0)\n\nVerify the authenticity of a plugin being installed with `plugins:install`.\n\nThis plugin is bundled with the [Salesforce CLI](https://developer.salesforce.com/tools/sfdxcli). For more information on the CLI, read the [getting started guide](https://developer.salesforce.com/docs/atlas.en-us.sfdx_setup.meta/sfdx_setup/sfdx_setup_intro.htm).\n\nWe always recommend using the latest version of these commands bundled with the CLI, however, you can install a specific version or tag if needed.\n\n### Allowlisting\n\nIf a plugin needs to be installed in a unattended fashion as is the case with automation. The plugin acceptance prompt can be avoided by placing the plugin name in \\$HOME/.config/sf/unsignedPluginAllowList.json\n\n```json\n[\n    \"@salesforce/npmName\",\n    \"plugin2\",\n    ...\n]\n```\n\nIf a plugin is not signed you then won't get a prompt confirming the installation of an unsigned plugin. Instead you'll get a message stating that the plugin was allowlisted and the installation will proceed as normal.\n\n### Additional Verification Information\n\nIn addition to signature verification additional checks are in place to help ensure authenticity of plugins.\n\nDNS - The public key url and signature urls must have an https scheme and originate from developer.salesforce.com\nCert Pinning - The digital fingerprint of developer.salesforce.com's certificate is validated. This helps prevent man in the middle attacks.\n\n## Install\n\n```bash\nsfdx plugins:install trust@x.y.z\n```\n\n## Issues\n\nPlease report any issues at \u003chttps://github.com/forcedotcom/cli/issues\u003e\n\n## Contributing\n\n1. Please read our [Code of Conduct](CODE_OF_CONDUCT.md)\n2. Create a new issue before starting your project so that we can keep track of\n   what you are trying to add/fix. That way, we can also offer suggestions or\n   let you know if there is already an effort in progress.\n3. Fork this repository.\n4. [Build the plugin locally](#build)\n5. Create a _topic_ branch in your fork. Note, this step is recommended but technically not required if contributing using a fork.\n6. Edit the code in your fork.\n7. Write appropriate tests for your changes. Try to achieve at least 95% code coverage on any new code. No pull request will be accepted without unit tests.\n8. Sign CLA (see [CLA](#cla) below).\n9. Send us a pull request when you are done. We'll review your code, suggest any needed changes, and merge it in.\n\n### CLA\n\nExternal contributors will be required to sign a Contributor's License\nAgreement. You can do so by going to \u003chttps://cla.salesforce.com/sign-cla\u003e.\n\n### Build\n\nTo build the plugin locally, make sure to have yarn installed and run the following commands:\n\n```bash\n# Clone the repository\ngit clone git@github.com:salesforcecli/plugin-trust\n\n# Install the dependencies and compile\nyarn install\nyarn build\n```\n\nTo use your plugin, run using the local `./bin/dev` or `./bin/dev.cmd` file.\n\n```bash\n# Run using local run file.\n./bin/dev plugins:trust\n```\n\nThere should be no differences when running via the Salesforce CLI or using the local run file. However, it can be useful to link the plugin to do some additional testing or run your commands from anywhere on your machine.\n\n```bash\n# Link your plugin to the sfdx cli\nsfdx plugins:link .\n# To verify\nsfdx plugins\n```\n\n## Commands\n\n\u003c!-- commands --\u003e\n\n- [`@salesforce/plugin-trust plugins trust allowlist add`](#salesforceplugin-trust-plugins-trust-allowlist-add)\n- [`@salesforce/plugin-trust plugins trust allowlist list`](#salesforceplugin-trust-plugins-trust-allowlist-list)\n- [`@salesforce/plugin-trust plugins trust allowlist remove`](#salesforceplugin-trust-plugins-trust-allowlist-remove)\n- [`@salesforce/plugin-trust plugins trust verify`](#salesforceplugin-trust-plugins-trust-verify)\n\n## `@salesforce/plugin-trust plugins trust allowlist add`\n\nAdd plugins to the plugin allowlist.\n\n```\nUSAGE\n  $ @salesforce/plugin-trust plugins trust allowlist add -n \u003cvalue\u003e... [--json] [--flags-dir \u003cvalue\u003e]\n\nFLAGS\n  -n, --name=\u003cvalue\u003e...  (required) The npm name of the plugin to add to the allowlist. Add multiple plugins by\n                         specifying the `--name` flag multiple times.\n\nGLOBAL FLAGS\n  --flags-dir=\u003cvalue\u003e  Import flag values from a directory.\n  --json               Format output as json.\n\nDESCRIPTION\n  Add plugins to the plugin allowlist.\n\n  The plugin allowlist lets users automatically install a plugin without being prompted, even when the plugin is\n  unsigned.\n\n  This command adds one or more plugins to the `unsignedPluginAllowList.json` file, creating the file if it doesn't\n  exist. Plugins already present in the allowlist are skipped.\n\nEXAMPLES\n  Add a single plugin to the allowlist:\n\n    $ @salesforce/plugin-trust plugins trust allowlist add --name @scope/my-plugin\n\n  Add multiple plugins to the allowlist:\n\n    $ @salesforce/plugin-trust plugins trust allowlist add --name @scope/my-plugin --name another-plugin\n```\n\n_See code: [src/commands/plugins/trust/allowlist/add.ts](https://github.com/salesforcecli/plugin-trust/blob/3.8.10/src/commands/plugins/trust/allowlist/add.ts)_\n\n## `@salesforce/plugin-trust plugins trust allowlist list`\n\nList the plugins on the plugin allowlist.\n\n```\nUSAGE\n  $ @salesforce/plugin-trust plugins trust allowlist list [--json] [--flags-dir \u003cvalue\u003e]\n\nGLOBAL FLAGS\n  --flags-dir=\u003cvalue\u003e  Import flag values from a directory.\n  --json               Format output as json.\n\nDESCRIPTION\n  List the plugins on the plugin allowlist.\n\n  The plugin allowlist lets users automatically install a plugin without being prompted, even when the plugin is\n  unsigned.\n\n  This command prints the contents of the `unsignedPluginAllowList.json` file as a table.\n\nEXAMPLES\n  List all plugins on the allowlist:\n\n    $ @salesforce/plugin-trust plugins trust allowlist list\n```\n\n_See code: [src/commands/plugins/trust/allowlist/list.ts](https://github.com/salesforcecli/plugin-trust/blob/3.8.10/src/commands/plugins/trust/allowlist/list.ts)_\n\n## `@salesforce/plugin-trust plugins trust allowlist remove`\n\nRemove plugins from the plugin allowlist.\n\n```\nUSAGE\n  $ @salesforce/plugin-trust plugins trust allowlist remove -n \u003cvalue\u003e... [--json] [--flags-dir \u003cvalue\u003e]\n\nFLAGS\n  -n, --name=\u003cvalue\u003e...  (required) The npm name of the plugin to remove from the allowlist. Remove multiple plugins by\n                         specifying the `--name` flag multiple times.\n\nGLOBAL FLAGS\n  --flags-dir=\u003cvalue\u003e  Import flag values from a directory.\n  --json               Format output as json.\n\nDESCRIPTION\n  Remove plugins from the plugin allowlist.\n\n  The plugin allowlist lets users automatically install a plugin without being prompted, even when the plugin is\n  unsigned.\n\n  This command removes one or more plugins from the `unsignedPluginAllowList.json` file. Plugins not present in the\n  allowlist are skipped.\n\nEXAMPLES\n  Remove a single plugin from the allowlist:\n\n    $ @salesforce/plugin-trust plugins trust allowlist remove --name @scope/my-plugin\n\n  Remove multiple plugins from the allowlist:\n\n    $ @salesforce/plugin-trust plugins trust allowlist remove --name @scope/my-plugin --name another-plugin\n```\n\n_See code: [src/commands/plugins/trust/allowlist/remove.ts](https://github.com/salesforcecli/plugin-trust/blob/3.8.10/src/commands/plugins/trust/allowlist/remove.ts)_\n\n## `@salesforce/plugin-trust plugins trust verify`\n\nValidate a digital signature.\n\n```\nUSAGE\n  $ @salesforce/plugin-trust plugins trust verify -n \u003cvalue\u003e [--json] [--flags-dir \u003cvalue\u003e] [-r \u003cvalue\u003e]\n\nFLAGS\n  -n, --npm=\u003cvalue\u003e       (required) Specify the npm name. This can include a tag/version.\n  -r, --registry=\u003cvalue\u003e  The registry name. The behavior is the same as npm.\n\nGLOBAL FLAGS\n  --flags-dir=\u003cvalue\u003e  Import flag values from a directory.\n  --json               Format output as json.\n\nDESCRIPTION\n  Validate a digital signature.\n\n  Verifies the digital signature on an npm package matches the signature and key stored at the expected URLs.\n\nEXAMPLES\n  $ @salesforce/plugin-trust plugins trust verify --npm @scope/npmName --registry https://npm.pkg.github.com\n\n  $ @salesforce/plugin-trust plugins trust verify --npm @scope/npmName\n```\n\n_See code: [src/commands/plugins/trust/verify.ts](https://github.com/salesforcecli/plugin-trust/blob/3.8.10/src/commands/plugins/trust/verify.ts)_\n\n\u003c!-- commandsstop --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalesforcecli%2Fplugin-trust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalesforcecli%2Fplugin-trust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalesforcecli%2Fplugin-trust/lists"}