While creating checksums/hashes for plugins and themes shipped via WordPress.org is a fairly straight-forward process, the same can’t be said for Premium Plugins and Themes.
The reason is simple: with WordPress.org we have direct, unfettered access to the source files that ship with each release of a plugin/theme. Premium assets are typically shipped from private repositories to which only the developers or organisations themselves have access to.
So how can we set about verifying the checksums of premium plugins and themes?
The best way is to have buy-in from premium plugin developers to permit us access to their repositories. With this access we can build the hashes automatically and start providing these hashes directly via our API.
There are a few alternatives routes, which essentially involves crowd-sourcing the checksums from multiple sites. This adds quite a lot of complexity to what should otherwise be very simple. We’re not ruling it out, however.
So for the moment, we’re reaching out to plugin developers to see if they’ll be open to providing read-access to their release repositories.