Understanding Trust
Open Choice uses cryptographic signatures and runtime monitoring to give you confidence in the plugins you run. This page explains how the trust system works and what the status labels mean.
Trust status
Every installed plugin has a trust_status that reflects the current state of your confidence in it.
| Status | Meaning | Can run? |
|---|---|---|
| verified | Signed by a publisher in the trusted key store | Yes |
| warning | Installed in developer mode without a trusted signature | Yes, with awareness |
| quarantined | Automatically or manually disabled due to a safety concern | No |
How a plugin becomes verified
When a plugin is packaged, the author signs manifest.json with an Ed25519 private key. The corresponding public key is registered in the Open Choice trusted key store.
At install time, the host verifies the signature. If the key matches a trusted entry, the plugin gets trust_status = verified. The key store ships with Open Choice and is updated with new releases.
There are two trust tiers within verified:
- first_party — plugins published by Open Choice itself
- known_publisher — plugins from registered community publishers
Both display as verified in the UI. The distinction matters if you are a developer submitting to the registry.
How a plugin becomes quarantined
Quarantine happens in three situations:
Revocation — When Open Choice starts, it checks all installed plugins against a revocation list embedded in the app. If a plugin’s key has been revoked (due to a compromised key or a withdrawn plugin), it is quarantined immediately. You will see a notification on next launch.
Binary missing — If the plugin binary is no longer at the path recorded at install time, the host quarantines the plugin and records the event. This typically means the plugins directory was moved or a file was deleted manually.
Repeated runtime errors — If a plugin produces 3 or more errors within a 1-hour window, it is auto-quarantined. This protects against a misbehaving plugin consuming resources or corrupting output. See Managing Plugins for how to unquarantine.
The revocation list
The revocation list is embedded in the app binary and checked at startup. It cannot be bypassed. If a plugin you rely on is revoked, you will need to either update Open Choice (which may include an updated list) or wait for the publisher to release a re-signed version.
Developer mode
Developer mode allows installing plugins that are unsigned or self-signed — plugins you are building yourself or testing locally. Plugins installed in developer mode receive trust_status = warning.
Warning-status plugins can run tasks, but they are displayed with a warning indicator and their capabilities are shown prominently as a reminder.
Developer mode is intended for plugin development only. Do not leave it enabled when running untrusted packages. To toggle it, open Tools → Developer Mode… from the menu bar, or open Settings → Advanced.