Runtime Package Toolkit follows Unreal's security model. It does not bypass pak signing or encryption.

If the host project requires signed or encrypted paks, external paks must satisfy those same requirements.

The plugin does not:

• Disable signing checks.
• Disable encryption checks.
• Register secret keys.
• Emulate Unreal's secure packaging pipeline.

SHA1 verification is an integrity check for downloads or generated files. It is not authentication and does not prove a package is trusted.

Use trusted distribution and Unreal's signing/encryption features for trust.

The downloader performs a simple HTTP GET to a temporary file, optionally checks SHA1, then moves the file to the destination.

It does not implement:

• Resumable downloads.
• CDN authentication.
• Delta patching.
• Manifest negotiation.
• Trust policy enforcement.

Use HTTPS endpoints you control.

Mounted content can reference classes, plugins, data formats, and assets expected by the host project. Treat untrusted packages as unsafe unless your project has a separate sandboxing and validation strategy.