To increase security, we should promote plugin signing and implement signature verification for the user to understand whether a plugin payload is what's intended.

Describe the solution you'd like

TBD

• fairly standard ways of doing it should be used (what's being used for other artifact hub things? What about with github?)
• The experience of users using this should be good. If it's a terrible to sign things, that will drive people away and decrease security.

What users will benefit from this feature?

Extra assurance/security.