Newer Version Available

This content describes an older version of this product. View Latest

Install Trusted Unsigned Plug-ins Automatically

When you install a plug-in with the sfdx plugins:install command, Salesforce CLI first verifies its digital signature. If the plug-in provides a valid signature, the CLI installs it. Otherwise, Salesforce CLI doesn't install it until you answer a warning prompt and acknowledge that you understand the risks. This process works well when you install a plug-in interactively at the command line, but can prevent a batch CI/CD job from completing. To automatically install a plug-in without prompting, even when unsigned, create an allowlist file on your local file system and add the plug-ins you trust.

After you install a plug-in and run one of its commands in a terminal, the command runs with your user privileges. As a result, the command can read encrypted data, communicate with any Salesforce org you authenticated to, or remove files in your home directory. Install only unsigned and unverified plug-ins that you trust.

Warning

  1. Create a file called unsignedPluginAllowList.json and put it in one of these directories:
    • (Linux and macOS): $HOME/.config/sfdx
    • (Windows) Depending on your Windows configuration, either C:\Users\username\.config\sfdx or %LOCALAPPDATA%\sfdx
  2. Add the names of the plug-ins you trust to the JSON file in a simple array of strings. For example:
    1[
    2    "sfdx-templates",
    3    "salesforce-cmdt",
    4    ...
    5]