grafana/docs/sources/plugins/plugin-signatures.md

+++
title = "Plugin signatures"
type = "docs"
aliases = ["/docs/grafana/latest/plugins/plugin-signature-verification"]
+++

# Plugin signatures

Plugin signature verification (signing) is a security measure to make sure plugins haven't been tampered with. Upon loading, Grafana checks to see if a plugin is signed or unsigned when inspecting and verifying its digital signature.

At startup, Grafana verifies the signatures of every plugin in the plugin directory. If a plugin is unsigned, then Grafana does not load nor start it. To see the result of this verification for each plugin, navigate to **Configuration** -> **Plugins**.

Grafana also writes an error message to the server log:

```bash
WARN[05-26|12:00:00] Some plugin scanning errors were found   errors="plugin '<plugin id>' is unsigned, plugin '<plugin id>' has an invalid signature"
```

If you are a plugin developer and want to know how to sign your plugin, refer to [Sign a plugin]({{< relref "../developers/plugins/sign-a-plugin.md" >}}).

| Signature status | Description |
| ---------------- | ----------- |
| Core | Core plugin built into Grafana. |
| Invalid signature | The plugin has a invalid signature. |
| Modified signature | The plugin has changed since it was signed. This may indicate malicious intent. |
| Unsigned | The plugin is not signed. |
| Signed | The plugin signature was successfully verified. |

## Plugin signature levels

All plugins is signed under a _signature level_. The signature level determines how the plugin can be distributed.

|**Plugin Level**|**Description**|
|---|---|
|Private|<p>Private plugins are for use on your own Grafana. They may not be distributed to the Grafana community, and are not published in the Grafana catalog.</p>|
|Community|<p>Community plugins have dependent technologies that are open source and not for profit.</p><p>Community plugins are published in the official Grafana catalog, and are available to the Grafana community.</p>|
|Commercial|<p>Commercial plugins have dependent technologies that are closed source or commercially backed.</p><p>Commercial Plugins are published on the official Grafana catalog, and are available to the Grafana community.</p>|

## Allow unsigned plugins

We strongly recommend that you don't run unsigned plugins in your Grafana installation. If you're aware of the risks and you still want to load an unsigned plugin, refer to [Configuration]({{< relref "../administration/configuration.md#allow_loading_unsigned_plugins" >}}).

If you've allowed loading of an unsigned plugin, then Grafana writes a warning message to the server log:

```bash
WARN[06-01|16:45:59] Running an unsigned plugin   pluginID=<plugin id>
```

> **Note:** If you're developing a plugin, then you can enable development mode to allow all unsigned plugins.
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00			`+++`
			`title = "Plugin signatures"`
			`type = "docs"`
Docs: Replace next with latest in aliases (#33054) 2021-04-15 16:08:58 -05:00			`aliases = ["/docs/grafana/latest/plugins/plugin-signature-verification"]`
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00			`+++`

			`# Plugin signatures`

			`Plugin signature verification (signing) is a security measure to make sure plugins haven't been tampered with. Upon loading, Grafana checks to see if a plugin is signed or unsigned when inspecting and verifying its digital signature.`

Plugins: Update plugin signing copy + docs (#34716) * update plugin signing copy + docs * rewording * remove grafana sig note * update unsigned plugin wording * remove org admin reference in catalog docs * add whitespace to message * apply pr suggestion Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * apply pr feedback Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> 2021-05-31 14:54:53 -05:00			`At startup, Grafana verifies the signatures of every plugin in the plugin directory. If a plugin is unsigned, then Grafana does not load nor start it. To see the result of this verification for each plugin, navigate to Configuration -> Plugins.`
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00
Plugins: Update plugin signing copy + docs (#34716) * update plugin signing copy + docs * rewording * remove grafana sig note * update unsigned plugin wording * remove org admin reference in catalog docs * add whitespace to message * apply pr suggestion Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * apply pr feedback Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> 2021-05-31 14:54:53 -05:00			`Grafana also writes an error message to the server log:`

			```bash
			`WARN[05-26\|12:00:00] Some plugin scanning errors were found errors="plugin '<plugin id>' is unsigned, plugin '<plugin id>' has an invalid signature"`
			```

			`If you are a plugin developer and want to know how to sign your plugin, refer to [Sign a plugin]({{< relref "../developers/plugins/sign-a-plugin.md" >}}).`
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00
			`\| Signature status \| Description \|`
			`\| ---------------- \| ----------- \|`
			`\| Core \| Core plugin built into Grafana. \|`
			`\| Invalid signature \| The plugin has a invalid signature. \|`
			`\| Modified signature \| The plugin has changed since it was signed. This may indicate malicious intent. \|`
			`\| Unsigned \| The plugin is not signed. \|`
			`\| Signed \| The plugin signature was successfully verified. \|`

			`## Plugin signature levels`

			`All plugins is signed under a _signature level_. The signature level determines how the plugin can be distributed.`

			`\|Plugin Level\|Description\|`
			`\|---\|---\|`
			`\|Private\|<p>Private plugins are for use on your own Grafana. They may not be distributed to the Grafana community, and are not published in the Grafana catalog.</p>\|`
			`\|Community\|<p>Community plugins have dependent technologies that are open source and not for profit.</p><p>Community plugins are published in the official Grafana catalog, and are available to the Grafana community.</p>\|`
			`\|Commercial\|<p>Commercial plugins have dependent technologies that are closed source or commercially backed.</p><p>Commercial Plugins are published on the official Grafana catalog, and are available to the Grafana community.</p>\|`

			`## Allow unsigned plugins`

Plugins: Enforce signing for all plugins (#34364) * enforce non-backend plugin signing * fix tests * add tests * add signatures * apply PR feedback * update upgrading docs 2021-05-19 08:42:50 -05:00			`We strongly recommend that you don't run unsigned plugins in your Grafana installation. If you're aware of the risks and you still want to load an unsigned plugin, refer to [Configuration]({{< relref "../administration/configuration.md#allow_loading_unsigned_plugins" >}}).`
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00
Plugins: Update plugin signing copy + docs (#34716) * update plugin signing copy + docs * rewording * remove grafana sig note * update unsigned plugin wording * remove org admin reference in catalog docs * add whitespace to message * apply pr suggestion Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * apply pr feedback Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> 2021-05-31 14:54:53 -05:00			`If you've allowed loading of an unsigned plugin, then Grafana writes a warning message to the server log:`
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00
			```bash
Plugins: Update plugin signing copy + docs (#34716) * update plugin signing copy + docs * rewording * remove grafana sig note * update unsigned plugin wording * remove org admin reference in catalog docs * add whitespace to message * apply pr suggestion Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * apply pr feedback Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> 2021-05-31 14:54:53 -05:00			`WARN[06-01\|16:45:59] Running an unsigned plugin pluginID=<plugin id>`
Docs: Plugin signing docs (#28671) * WIP * Update plugin signing docs * Fix review comments 2020-11-05 09:40:33 -06:00			```

			`> Note: If you're developing a plugin, then you can enable development mode to allow all unsigned plugins.`