Skip to content

impl: verify cli signature #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jul 25, 2025
Merged

impl: verify cli signature #562

merged 11 commits into from
Jul 25, 2025

Conversation

fioan89
Copy link
Collaborator

@fioan89 fioan89 commented Jul 22, 2025

This PR introduces support for verifying the CLI binary using a detached PGP signature. Starting with version 2.24, Coder signs all CLI binaries. For clients using older versions or running Gateway in air-gapped environments, unsigned CLIs can still be executed — but users will have to confirm it each time.

In terms of code changes - the PR includes a big refactor around CLI downloading with most of the code refactored and extracted in various components that provide clean steps and result state in the main download method. Then the pgp verification logic was added on top, with some particularities:

  • the pgp public key is embedded in the plugin as a jar resource
  • we support multiple key rings in the public key
  • the user has the option of running the CLI if no signature was found
  • the signature search has a fallback approach: first we look in the Coder deployment, and then fall back to releases.coder.com to search for the signature if the user allows it.
  • we expect the signature to be under the same relative path as the CLI (we have an option which allows user to pick the CLI from a different source other than the Coder deployment)
  • improved progress reporting while downloading the cli and the signatures

This PR is a backport of coder/coder-jetbrains-toolbox#148

fioan89 added 3 commits July 22, 2025 23:00
@fioan89
fix: class cast exception
94e74f5
@fioan89
impl: embed the pgp public key as a plugin resource
345371f 
This is the key that validates if the gpg signature was tampered
@fioan89
chore: fix UTs related to CLI downloading
c7af603 
For one thing some method signature changed, some methods are now suspending functions
that will have to run in a coroutine in the tests. The second big issue is that now
the download function requests user's input via a dialog
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 22, 2025
edited
Loading

Qodana Community for JVM

33 new problems were found

Inspection name Severity Problems
Usage of API marked for removal 🔴 Failure 13
Local 'var' is never modified and can be declared as 'val' 🔶 Warning 1
Incorrect string capitalization 🔶 Warning 1
Constant conditions 🔶 Warning 1
Usage of redundant or deprecated syntax or deprecated symbols 🔶 Warning 1
Throwable not thrown 🔶 Warning 1
Redundant nullable return type 🔶 Warning 1
Unused symbol 🔶 Warning 1
Convert 'object' to 'data object' ◽️ Notice 5
Class member can have 'private' visibility ◽️ Notice 3
String concatenation that can be converted to string template ◽️ Notice 2
Argument could be converted to 'Set' to improve performance ◽️ Notice 1
Return or assignment can be lifted out ◽️ Notice 1
Redundant lambda arrow ◽️ Notice 1

💡 Qodana analysis was run in the pull request mode: only the changed files were checked

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

  1. Register at Qodana Cloud and configure the action
  2. Use GitHub Code Scanning with Qodana
  3. Host Qodana report at GitHub Pages
  4. Inspect and use qodana.sarif.json (see the Qodana SARIF format for details)

To get *.log files or any other Qodana artifacts, run the action with upload-result option set to true,
so that the action will upload the files as the job artifacts:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2023.3.2
        with:
          upload-result: true
Contact Qodana team

Contact us at qodana-support@jetbrains.com

fioan89 added 3 commits July 23, 2025 01:39
@fioan89
fix: download the correct CLI signature for Windows
8f5e559 
The signature for windows CLI follows the format: coder-windows-amd64.exe.asc
Currently it is coded to coder-windows-amd64.asc which means the plugin
always fail to find any signature for windows cli
@fioan89
Merge branch 'main' into impl-verify-cli-signature
ea0e4ea
@fioan89
chore: next version is 2.22.0
5945b6c
@fioan89 fioan89 marked this pull request as ready for review July 22, 2025 22:46
code-asher
code-asher approved these changes Jul 24, 2025
View reviewed changes
Copy link
Member

@code-asher code-asher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about the URL issue but looks good to me.

fioan89 added 4 commits July 25, 2025 18:02
@fioan89
impl: strict URL validation for the connection screen
06f0feb 
This commit rejects any URL that is opaque, not hierarchical, not using http or https
protocol, or it misses the hostname.
@fioan89
impl: strict URL validation for the URI handling
f8414f9 
This commit rejects any URL that is opaque, not hierarchical, not using http or https
protocol, or it misses the hostname.
@fioan89
fix: transform to url only after we checked the validation result
8623572
@fioan89
chore: update UT expected result
8838a8e
jdomeracki-coder
jdomeracki-coder approved these changes Jul 25, 2025
View reviewed changes
Copy link

@jdomeracki-coder jdomeracki-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

@fioan89 fioan89 merged commit 0164c60 into main Jul 25, 2025
6 checks passed
@fioan89 fioan89 deleted the impl-verify-cli-signature branch July 25, 2025 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdomeracki-coder jdomeracki-coder jdomeracki-coder approved these changes

@deansheather deansheather Awaiting requested review from deansheather

@f0ssel f0ssel Awaiting requested review from f0ssel

@bcpeinhardt bcpeinhardt Awaiting requested review from bcpeinhardt

@code-asher code-asher Awaiting requested review from code-asher

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fioan89 @code-asher @jdomeracki-coder