Fix plugin verification docs: replace removed CLI commands#1501
Fix plugin verification docs: replace removed CLI commands#1501
Conversation
…g instructions The plugin key management CLI commands (mattermost plugin add key, mattermost plugin keys, mattermost plugin delete key) were removed in Mattermost v6.3.0 (commit 8f01a1b5a1, MM-36448) and were never added to mmctl. The documentation also had incorrect syntax even before removal (docs said "plugin add key" but actual command was "plugin keys add"). Replace the non-existent CLI commands with the current method: configuring PluginSettings.SignaturePublicKeyFiles in config.json.
📝 WalkthroughWalkthroughDocumentation updated to remove CLI-based plugin public key management instructions and replace them with configuration-based guidance. Admins now add custom verification keys via Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
Newest code from mattermost has been published to preview environment for Git SHA ad7306c |
|
Newest code from mattermost has been published to preview environment for Git SHA 0fccd5e |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Updates the “Plugin verification” documentation to remove references to legacy mattermost plugin ... key(s) CLI commands (removed in Mattermost v6.3.0) and replaces them with the current configuration-based approach for adding plugin signature verification keys.
Changes:
- Replaced removed legacy CLI key-management commands with
PluginSettings.SignaturePublicKeyFilesconfiguration guidance. - Clarified that plugin verification checks both the built-in Mattermost key and any additional admin-configured keys.
- Added a
config.jsonsnippet and note about where key files must be stored.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Mattermost server will verify plugin signatures downloaded from the Marketplace. Plugins are verified against a hard-coded Mattermost public key, as well as any additional public keys configured on the server. | ||
|
|
||
| `mattermost plugin add key my-pub-key` | ||
| To add custom public keys for plugin signature verification, add the key file names to the `PluginSettings.SignaturePublicKeyFiles` setting in your `config.json`: |
There was a problem hiding this comment.
This section describes verification keys as a “hard-coded Mattermost public key”, but earlier in the same document the terminology is “default certificate” / “public key certificate” (see around lines 105-107). To avoid confusion about whether this is a raw public key vs a certificate, align the wording here with the earlier terminology (or update both to use a single, consistent term).
| "PluginSettings": { | ||
| "SignaturePublicKeyFiles": ["my-pub-key-1", "my-pub-key-2"] |
There was a problem hiding this comment.
The JSON example is a fragment (missing the outer {}), which makes it ambiguous where it belongs in config.json and can be confusing when copying/pasting. Consider showing a complete (or clearly elided) JSON object that includes the top-level braces and PluginSettings nesting, consistent with other config snippets in this docs repo.
| "PluginSettings": { | |
| "SignaturePublicKeyFiles": ["my-pub-key-1", "my-pub-key-2"] | |
| { | |
| "PluginSettings": { | |
| "SignaturePublicKeyFiles": ["my-pub-key-1", "my-pub-key-2"] | |
| } |
Summary
mattermostCLI commands (mattermost plugin add key,mattermost plugin keys,mattermost plugin delete key) that were removed in Mattermost v6.3.0 (commit8f01a1b5a1, MM-36448: Removes legacy CLI commands).mmctl— the currentmmctl pluginsubcommands (add,install-url,delete,enable,disable,list) do not include any key management functionality.PluginSettings.SignaturePublicKeyFilesinconfig.json.server/channels/app/plugin_signature.go).