There has been considerable discussion ‘behind the scenes’ between authors and Trimble.
They introduced the signing process against the advice of many… including me !
As I’ll explain later it is something of an illusion !
If you get an extension from the EW then you are assured that they have been vetted and meet some minimum coding standards.
An older extension’s RBZ might not be signed at all, or it might be signed for v2016, but not have a current signature [ they changed the signing system with v2017 ! ]
I am surprised that ‘none’ of my offerings at the SketchUcation PluginStore are reporting as ‘having an up to date signing’, I have published several updates to be compatible with v2017 ??
But I do know that some are only signed for v2016…
Many of the SketchUcation PluginStore’s authors’ downloads have been signed for v2017 compatibility, whilst more were previously signed for v2016.
By introducing and then changing the signing system Trimble put a burden on authors that far exceeded their assumptions.
Plugins which worked for years now report as unsigned, or if they have been signed previously they can still report as outdated !
It takes not inconsiderable effort by authors to get their RBZs signed.
If they use the EW they need to resubmit new versions for consideration - these are auto-signed if found compliant and meeting some minimum coding standards…
If authors use other outlets, like SketchUcation PluginStore, Smustard.com or an author’s own download site, they have to submit their RBZ to a special Trimble ‘portal’ where they must be a registered developer, and the RBZ is signed [assuming it is structured in a particular way !]
However, this method of signing has no checks on an RBZ file’s contents - they may or may not meet some basic coding standards !
The assurance of being ‘signed’ is somewhat illusory !
So… the best assurance of an RBS file being ‘kosher’ is actually to get it from a known and trusted author…
That is, either from an author who uses the EW to distribute their extensions, or from an author like myself or Fredo6, who are represented at the SketchUcation PluginStore, or from one of the other well known author groups like Smustard.com etc…
If you choose an extension loading policy that is ‘unrestricted’ all plugins will load.
Choosing a more limited policy is more restrictive, but offers little real comfort !
Currently limiting yourself up to date signed extensions offers no real protection.
Having introduced a signing system, then I suspect that in the long term Trimble plan to try and force all authors into using their EW, where they can enforce certain coding conventions and so on… and then stop non-signed code from loading at all…
However, this then presents all kinds of issues - like users who want to write or use their own scripts, and of course how developers might write and test their scripts prior to getting them signed… I suspect that there will be insurmountable difficulties, at least without a draconian regime, that we all hope will not come about !