Plugins should be able to utilize pgp for release authenticity. I propose the following flow:

Allow Plugins to configure one or multiple pgp public keys which are allowed to sign releases.

If keys are configured, a new build will be in Unsigned state after finishing. Plugin authors will have to sign the provided shasum manifest in order to actually release.

Looking ahead, those pgp keys could be exposed via the api aswell to allow btcpay itself to download those and verify plugins.

This could protect against compromise of plugin builder accounts or the entire builder service. Btcpay servers could download and store the key upon first install and then subsequently check for changes on plugin updates. If the key expired or changed, a warning can be showed to tell the user to verify whats been happening externally.