How to sign and package a plugin before submitting for review

I want to submit a panel plugin for review, but can’t figure out the exact process for packaging it.
I am able to locally build and sign it using my private API key.
I’ve added the release github action to my repo, assuming it will create the zip archive (and store it as a release in the repo) which I can then submit as the URL in the Grafana Cloud Submit Plugin UI.
However, the action fails during the Lint plugin step with the following error: Plugin has a private signature

Should the zip archive contain just the packaged (but not signed) plugin?
Should I build it locally, sign with my private API key and submit that zip archive? In that case, what should the rootURLs be?
Is there some other way to sign it for review submissions?

Hey!

You can sign a plugin as either public or private. To sign a plugin as public, you first need to obtain a signature level from the Grafana team. The team assigns a signature level as part of the initial review after you’ve submitted it.

For private plugins, you need to configure the root URLs of the Grafana instances where you intend to use the plugin.

When you submit your plugin for the first time, it’s going to be unsigned (that’s ok!). The team will assign the signature level so that you can sign it and resubmit a signed version.

Thanks!
Might be helpful for others to explicitly point it out somewhere in the docs (the fact that a plugin submitted for the first time should be unsigned)

Would be very helpful indeed! I’ll make sure to forward it to the team!

Just in case this helps anyone, I’ve created this workflow (based on the release github action) which creates a non-signed version which can be submitted for the initial review.

(For some reason, just using the release github action with the packaged unsigned plugin didn’t work. The link to the zip archive worked in the browser, but the plugin validator kept returning a 500 error back)

1 Like

@boazreicher Cool Sierra Plot plugin btw, I will include it in our plugins review this week.

There is a version 2 of plugin validator which has customizable checks using configuration files and supports private plugins. It’s used internally by the Grafana team and the default workflow should migrate to it at some point: GitHub - grafana/plugin-validator: Tool for validating Grafana community plugins

1 Like