https://theforeman.org/manuals/3.1/index.html#Signing

"Release and release candidate packages are signed by the per-release key listed on Security. Nightly packages are not signed."

All of the plugins are unsigned in 3.1 and 3.2.

I feel like the doc is unclear here. "Release" is both the name of a repo, and a statement about the maturity/quality of the code. It seems like "plugins" RPMs could warrant being signed or not signed, depending on the specific meaning. Minimally, I think whatever the decision is should be spelled out in the docs.

IMO, they're release-quality and should be signed, but I'm fine with either so long as it's a conscious/declared choice.