Plugin Signing cross-links

topics/basics/getting_started/publishing_plugin.md

@@ -9,6 +9,9 @@ You can choose to publish it on the [JetBrains Plugins Repository](https://plugi
  >
  {type="tip"}
 
+Before publishing your plugin, make sure it is signed.
+For more details on generating a proper certificate and configuring the signing process, check the [Plugin Signing](plugin_signing.md) article.
+
 ## Publishing to the JetBrains Plugins Repository
 To upload your plugin to the [JetBrains Plugins Repository](https://plugins.jetbrains.com),  you must log in with your personal JetBrains Account.
 
@@ -28,4 +31,4 @@ To upload your plugin to the [JetBrains Plugins Repository](https://plugins.jetb
 New versions can be uploaded on the plugin's detail page, see [Marketplace Docs](https://plugins.jetbrains.com/docs/marketplace/custom-release-channels.html) for details.
 
 ## Publishing a Plugin to a Custom Plugin Repository
-If you plan to publish your plugin to a repository _other than_ the [JetBrains Plugins Repository](https://plugins.jetbrains.com), please refer to the [Publishing to Custom Plugin Repositories](update_plugins_format.md) documentation.
+If you plan to publish your plugin to a repository _other than_ the [JetBrains Plugins Repository](https://plugins.jetbrains.com), please refer to the [Publishing to Custom Plugin Repositories](update_plugins_format.md) documentation.

topics/basics/plugin_signing.md

@@ -23,14 +23,16 @@ The plugin author's sign-verify process is as follows:
 - The JetBrains sign-verify process is as follows:
   - JetBrains CA is used as the source of truth here.
   - Its public part will be added to the IDE Java TrustStore, while the private part will be used only once to generate an intermediate certificate.
-  - The private key of JetBrains CA is super-secret; in fact, we've already said too much.
+  - The private key of JetBrains CA is super-secret; in fact, we've already said too much. 
-- The intermediate certificate issues a certificate that will be used to sign plugins.
+
-  This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key.
+The intermediate certificate issues a certificate that will be used to sign plugins.
-  The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited.
+This way, it will be possible to re-generate this certificate without access to JetBrains CA's super-secret private key.
-  So now we have an AWS-based Intermediate CA.
+The private key of the intermediate certificate is issued and kept in the AWS Certificate Manager, and no application has access to it; people's access is also limited.
-  The public part of the intermediate certificate will be added to the plugin file together with the signing certificate.
+So now we have an AWS-based Intermediate CA.
-- The certificate used to sign plugins is stored securely, too.
+The public part of the intermediate certificate will be added to the plugin file together with the signing certificate. 
-  JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files.
+
+The certificate used to sign plugins is stored securely, too.
+JetBrains Marketplace uses AWS KMS as a signature provider to sign plugin files.
 
 ## Signing Methods
 
@@ -45,7 +47,11 @@ Both methods require a private certificate key to be already present.
 To generate an RSA `private.pem` private key, run the `openssl genpkey` command in the terminal, as below:
 
 ```bash
-openssl genpkey -aes-256-cbc -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:4096
+openssl genpkey\
+  -aes-256-cbc\
+  -algorithm RSA\
+  -out private.pem\
+  -pkeyopt rsa_keygen_bits:4096
 ```
 
 At this point, the generated `private.key` content should be provided to the `signPlugin.privateKey` property.
@@ -54,7 +60,12 @@ Provided password should be specified as the `signPlugin.password` property in t
 As a next step, we'll generate a `chain.crt` certificate chain with:
 
 ```bash
-openssl req -key private.key -new -x509 -days 365 -out chain.crt
+openssl req\
+  -key private.key\
+  -new\
+  -x509\
+  -days 365\
+  -out chain.crt
 ```
 
 The content of the `chain.crt` file will be used for the `signPlugin.certificateChain` property.
@@ -193,7 +204,6 @@ java -jar zip-signer-cli.jar sign\
   -key-pass "PRIVATE_KEY_PASSWORD"
 ```
 
-
 ## Signing for Custom Repositories
 
 Signing plugins hosted on a custom repository can be accomplished for added trust between the repository and installation. However, unlike Marketplace, the custom repository will not re-sign the plugin with the JetBrains key. Instead, a trusted private CA or self-signed certificate can be used to sign and validate plugins.

topics/intro/content_updates.md

@@ -8,6 +8,11 @@ See [GitHub Changelog](https://github.com/JetBrains/intellij-sdk-docs/commits/ma
 
 ## 2021
 
+### July-21
+
+Plugin Signing
+: [Plugin Signing](plugin_signing.md) page describes the plugin signing process, explains how to generate a certificate, configure the Gradle `signPlugin` task, and introduces standalone CLI tool.
+
 ### June-21
 
 Testing FAQ

topics/tutorials/build_system/deployment.md

@@ -64,6 +64,13 @@ Note that also, in this case, you still need to put some default values in your
 The first step when deploying a plugin is to confirm that it works correctly.
 You may wish to verify this by [installing your plugin from disk](https://www.jetbrains.com/help/idea/managing-plugins.html) on a fresh instance of your target IDE(s).
 
+### Signing a Plugin
+
+The Marketplace signing is designed to ensure that plugins are not modified over the course of the publishing and delivery pipeline.
+In version `1.x`, the Gradle IntelliJ Plugin provides the `signPlugin` task, which will be executed automatically right before the `publishPlugin`.
+
+For more details on generating a proper certificate and configuring the `signPlugin` task, check the [Plugin Signing](plugin_signing.md) article.
+
 ### Publishing a Plugin
 Once you are confident, the plugin works as intended, make sure the plugin version is updated, as the JetBrains Plugins Repository won't accept multiple artifacts with the same version.