fix: add code signing requirements to xpc connections

ethanndickson · ethanndickson · commit ea87f5255f7f · 2025-07-24T21:00:50.000+10:00
diff --git a/Coder-Desktop/Coder-Desktop/XPCInterface.swift b/Coder-Desktop/Coder-Desktop/XPCInterface.swift
@@ -36,6 +36,7 @@ import VPNLib
             _ = self.connect()
         }
         logger.info("connecting to \(helperAppMachServiceName)")
+        connection.setCodeSigningRequirement(SignatureValidator.peerRequirement)
         connection.resume()
         self.connection = connection
         return connection
diff --git a/Coder-Desktop/Coder-DesktopHelper/HelperXPCListeners.swift b/Coder-Desktop/Coder-DesktopHelper/HelperXPCListeners.swift
@@ -32,6 +32,7 @@ class HelperNEXPCListener: NSObject, NSXPCListenerDelegate, HelperNEXPCInterface
             conns.removeAll { $0 == newConnection }
             logger.debug("connection interrupted")
         }
+        newConnection.setCodeSigningRequirement(SignatureValidator.peerRequirement)
         newConnection.resume()
         conns.append(newConnection)
         return true
@@ -149,6 +150,7 @@ class HelperAppXPCListener: NSObject, NSXPCListenerDelegate, HelperAppXPCInterfa
             conns.removeAll { $0 == newConnection }
             logger.debug("app connection invalidated")
         }
+        newConnection.setCodeSigningRequirement(SignatureValidator.peerRequirement)
         newConnection.resume()
         conns.append(newConnection)
         return true
diff --git a/Coder-Desktop/VPN/HelperXPCSpeaker.swift b/Coder-Desktop/VPN/HelperXPCSpeaker.swift
@@ -29,6 +29,7 @@ final class HelperXPCSpeaker: NEXPCInterface, @unchecked Sendable {
         connection.interruptionHandler = { [weak self] in
             self?.connection = nil
         }
+        connection.setCodeSigningRequirement(SignatureValidator.peerRequirement)
         connection.resume()
         self.connection = connection
         return connection
diff --git a/Coder-Desktop/VPNLib/Download.swift b/Coder-Desktop/VPNLib/Download.swift
@@ -1,130 +1,6 @@
 import CryptoKit
 import Foundation
 
-public enum ValidationError: Error {
-    case fileNotFound
-    case unableToCreateStaticCode
-    case invalidSignature
-    case unableToRetrieveInfo
-    case invalidIdentifier(identifier: String?)
-    case invalidTeamIdentifier(identifier: String?)
-    case missingInfoPList
-    case invalidVersion(version: String?)
-    case belowMinimumCoderVersion
-
-    public var description: String {
-        switch self {
-        case .fileNotFound:
-            "The file does not exist."
-        case .unableToCreateStaticCode:
-            "Unable to create a static code object."
-        case .invalidSignature:
-            "The file's signature is invalid."
-        case .unableToRetrieveInfo:
-            "Unable to retrieve signing information."
-        case let .invalidIdentifier(identifier):
-            "Invalid identifier: \(identifier ?? "unknown")."
-        case let .invalidVersion(version):
-            "Invalid runtime version: \(version ?? "unknown")."
-        case let .invalidTeamIdentifier(identifier):
-            "Invalid team identifier: \(identifier ?? "unknown")."
-        case .missingInfoPList:
-            "Info.plist is not embedded within the dylib."
-        case .belowMinimumCoderVersion:
-            """
-            The Coder deployment must be version \(SignatureValidator.minimumCoderVersion)
-            or higher to use Coder Desktop.
-            """
-        }
-    }
-
-    public var localizedDescription: String { description }
-}
-
-public class SignatureValidator {
-    // Whilst older dylibs exist, this app assumes v2.20 or later.
-    public static let minimumCoderVersion = "2.20.0"
-
-    private static let expectedName = "CoderVPN"
-    private static let expectedIdentifier = "com.coder.Coder-Desktop.VPN.dylib"
-    private static let expectedTeamIdentifier = "4399GN35BJ"
-
-    private static let infoIdentifierKey = "CFBundleIdentifier"
-    private static let infoNameKey = "CFBundleName"
-    private static let infoShortVersionKey = "CFBundleShortVersionString"
-
-    private static let signInfoFlags: SecCSFlags = .init(rawValue: kSecCSSigningInformation)
-
-    // `expectedVersion` must be of the form `[0-9]+.[0-9]+.[0-9]+`
-    public static func validate(path: URL, expectedVersion: String) throws(ValidationError) {
-        guard FileManager.default.fileExists(atPath: path.path) else {
-            throw .fileNotFound
-        }
-
-        var staticCode: SecStaticCode?
-        let status = SecStaticCodeCreateWithPath(path as CFURL, SecCSFlags(), &staticCode)
-        guard status == errSecSuccess, let code = staticCode else {
-            throw .unableToCreateStaticCode
-        }
-
-        let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), nil)
-        guard validateStatus == errSecSuccess else {
-            throw .invalidSignature
-        }
-
-        var information: CFDictionary?
-        let infoStatus = SecCodeCopySigningInformation(code, signInfoFlags, &information)
-        guard infoStatus == errSecSuccess, let info = information as? [String: Any] else {
-            throw .unableToRetrieveInfo
-        }
-
-        guard let identifier = info[kSecCodeInfoIdentifier as String] as? String,
-              identifier == expectedIdentifier
-        else {
-            throw .invalidIdentifier(identifier: info[kSecCodeInfoIdentifier as String] as? String)
-        }
-
-        guard let teamIdentifier = info[kSecCodeInfoTeamIdentifier as String] as? String,
-              teamIdentifier == expectedTeamIdentifier
-        else {
-            throw .invalidTeamIdentifier(
-                identifier: info[kSecCodeInfoTeamIdentifier as String] as? String
-            )
-        }
-
-        guard let infoPlist = info[kSecCodeInfoPList as String] as? [String: AnyObject] else {
-            throw .missingInfoPList
-        }
-
-        try validateInfo(infoPlist: infoPlist, expectedVersion: expectedVersion)
-    }
-
-    private static func validateInfo(infoPlist: [String: AnyObject], expectedVersion: String) throws(ValidationError) {
-        guard let plistIdent = infoPlist[infoIdentifierKey] as? String, plistIdent == expectedIdentifier else {
-            throw .invalidIdentifier(identifier: infoPlist[infoIdentifierKey] as? String)
-        }
-
-        guard let plistName = infoPlist[infoNameKey] as? String, plistName == expectedName else {
-            throw .invalidIdentifier(identifier: infoPlist[infoNameKey] as? String)
-        }
-
-        // Downloaded dylib must match the version of the server
-        guard let dylibVersion = infoPlist[infoShortVersionKey] as? String,
-              expectedVersion == dylibVersion
-        else {
-            throw .invalidVersion(version: infoPlist[infoShortVersionKey] as? String)
-        }
-
-        // Downloaded dylib must be at least the minimum Coder server version
-        guard let dylibVersion = infoPlist[infoShortVersionKey] as? String,
-              // x.compare(y) is .orderedDescending if x > y
-              minimumCoderVersion.compare(dylibVersion, options: .numeric) != .orderedDescending
-        else {
-            throw .belowMinimumCoderVersion
-        }
-    }
-}
-
 public func download(
     src: URL,
     dest: URL,
diff --git a/Coder-Desktop/VPNLib/Validate.swift b/Coder-Desktop/VPNLib/Validate.swift
@@ -0,0 +1,128 @@
+import Foundation
+
+public enum ValidationError: Error {
+    case fileNotFound
+    case unableToCreateStaticCode
+    case invalidSignature
+    case unableToRetrieveInfo
+    case invalidIdentifier(identifier: String?)
+    case invalidTeamIdentifier(identifier: String?)
+    case missingInfoPList
+    case invalidVersion(version: String?)
+    case belowMinimumCoderVersion
+
+    public var description: String {
+        switch self {
+        case .fileNotFound:
+            "The file does not exist."
+        case .unableToCreateStaticCode:
+            "Unable to create a static code object."
+        case .invalidSignature:
+            "The file's signature is invalid."
+        case .unableToRetrieveInfo:
+            "Unable to retrieve signing information."
+        case let .invalidIdentifier(identifier):
+            "Invalid identifier: \(identifier ?? "unknown")."
+        case let .invalidVersion(version):
+            "Invalid runtime version: \(version ?? "unknown")."
+        case let .invalidTeamIdentifier(identifier):
+            "Invalid team identifier: \(identifier ?? "unknown")."
+        case .missingInfoPList:
+            "Info.plist is not embedded within the dylib."
+        case .belowMinimumCoderVersion:
+            """
+            The Coder deployment must be version \(SignatureValidator.minimumCoderVersion)
+            or higher to use Coder Desktop.
+            """
+        }
+    }
+
+    public var localizedDescription: String { description }
+}
+
+public class SignatureValidator {
+    // Whilst older dylibs exist, this app assumes v2.20 or later.
+    public static let minimumCoderVersion = "2.20.0"
+
+    private static let expectedName = "CoderVPN"
+    private static let expectedIdentifier = "com.coder.Coder-Desktop.VPN.dylib"
+    private static let expectedTeamIdentifier = "4399GN35BJ"
+
+    private static let infoIdentifierKey = "CFBundleIdentifier"
+    private static let infoNameKey = "CFBundleName"
+    private static let infoShortVersionKey = "CFBundleShortVersionString"
+
+    private static let signInfoFlags: SecCSFlags = .init(rawValue: kSecCSSigningInformation)
+
+    // `expectedVersion` must be of the form `[0-9]+.[0-9]+.[0-9]+`
+    public static func validate(path: URL, expectedVersion: String) throws(ValidationError) {
+        guard FileManager.default.fileExists(atPath: path.path) else {
+            throw .fileNotFound
+        }
+
+        var staticCode: SecStaticCode?
+        let status = SecStaticCodeCreateWithPath(path as CFURL, SecCSFlags(), &staticCode)
+        guard status == errSecSuccess, let code = staticCode else {
+            throw .unableToCreateStaticCode
+        }
+
+        let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), nil)
+        guard validateStatus == errSecSuccess else {
+            throw .invalidSignature
+        }
+
+        var information: CFDictionary?
+        let infoStatus = SecCodeCopySigningInformation(code, signInfoFlags, &information)
+        guard infoStatus == errSecSuccess, let info = information as? [String: Any] else {
+            throw .unableToRetrieveInfo
+        }
+
+        guard let identifier = info[kSecCodeInfoIdentifier as String] as? String,
+              identifier == expectedIdentifier
+        else {
+            throw .invalidIdentifier(identifier: info[kSecCodeInfoIdentifier as String] as? String)
+        }
+
+        guard let teamIdentifier = info[kSecCodeInfoTeamIdentifier as String] as? String,
+              teamIdentifier == expectedTeamIdentifier
+        else {
+            throw .invalidTeamIdentifier(
+                identifier: info[kSecCodeInfoTeamIdentifier as String] as? String
+            )
+        }
+
+        guard let infoPlist = info[kSecCodeInfoPList as String] as? [String: AnyObject] else {
+            throw .missingInfoPList
+        }
+
+        try validateInfo(infoPlist: infoPlist, expectedVersion: expectedVersion)
+    }
+
+    public static let peerRequirement = "anchor apple generic" + // Apple-issued certificate chain
+        " and certificate leaf[subject.OU] = \"" + expectedTeamIdentifier + "\"" // Signed by the Coder team
+
+    private static func validateInfo(infoPlist: [String: AnyObject], expectedVersion: String) throws(ValidationError) {
+        guard let plistIdent = infoPlist[infoIdentifierKey] as? String, plistIdent == expectedIdentifier else {
+            throw .invalidIdentifier(identifier: infoPlist[infoIdentifierKey] as? String)
+        }
+
+        guard let plistName = infoPlist[infoNameKey] as? String, plistName == expectedName else {
+            throw .invalidIdentifier(identifier: infoPlist[infoNameKey] as? String)
+        }
+
+        // Downloaded dylib must match the version of the server
+        guard let dylibVersion = infoPlist[infoShortVersionKey] as? String,
+              expectedVersion == dylibVersion
+        else {
+            throw .invalidVersion(version: infoPlist[infoShortVersionKey] as? String)
+        }
+
+        // Downloaded dylib must be at least the minimum Coder server version
+        guard let dylibVersion = infoPlist[infoShortVersionKey] as? String,
+              // x.compare(y) is .orderedDescending if x > y
+              minimumCoderVersion.compare(dylibVersion, options: .numeric) != .orderedDescending
+        else {
+            throw .belowMinimumCoderVersion
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ import VPNLib`
`36`	`36`	`_ = self.connect()`
`37`	`37`	`}`
`38`	`38`	`logger.info("connecting to \(helperAppMachServiceName)")`
	`39`	`+ connection.setCodeSigningRequirement(SignatureValidator.peerRequirement)`
`39`	`40`	`connection.resume()`
`40`	`41`	`self.connection = connection`
`41`	`42`	`return connection`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ final class HelperXPCSpeaker: NEXPCInterface, @unchecked Sendable {`
`29`	`29`	`connection.interruptionHandler = { [weak self] in`
`30`	`30`	`self?.connection = nil`
`31`	`31`	`}`
	`32`	`+ connection.setCodeSigningRequirement(SignatureValidator.peerRequirement)`
`32`	`33`	`connection.resume()`
`33`	`34`	`self.connection = connection`
`34`	`35`	`return connection`