plugin_unknown_signer
Diagnostic `nanook::plugin::unknown_signer`
Summary
plugin `{0}` signature does not match any trusted signer
Help
audit the publisher's .pub line and add it to [plugins.signature].signers, or rebuild the plugin against a key on that list
Details
When this fires
The plugin shipped a manifest plus signature (or an embedded trailer) but the signature did not verify against any of the keys in [plugins.signature].signers. ed25519 detached signatures do not carry the signer's pubkey, so the host cannot name the offending fingerprint; all we know is that none of the trusted keys produced this signature.
What to check
Confirm with the publisher which .pub line vouches for the plugin you have on disk, then add that line to [plugins.signature].signers.
# show the signers the agent currently trusts
If the publisher rotated keys, accept the new .pub line and remove the old one in the same edit. Adding a key here is a trust decision: audit the publisher and the build provenance before pasting it in.