Commitcb3aae6

authored

impl: verify cli signature (#148)

This PR introduces support for verifying the CLI binary using a detachedPGP signature. Starting with version 2.24, Coder signs all CLI binaries.For clients using older versions or running TBX in air-gappedenvironments, unsigned CLIs can still be executed — but users will haveto confirm it each time.In terms of code changes - the PR includes a big refactor around CLIdownloading with most of the code refactored and extracted in variouscomponents that provide clean steps and result state in the maindownload method. Then the pgp verification logic was added on top, withsome particularities:- the pgp public key is embedded in the plugin as a jar resource- we support multiple key rings in the public key- the user has the option of running the CLI if no signature was found- the signature search has a fallback approach: first we look in theCoder deployment, and then fall back to releases.coder.com to search forthe signature if the user allows it.- we expect the signature to be under the same relative path as the CLI(we have an option which allows user to pick the CLI from a differentsource other than the Coder deployment)

1 parente02c866 commitcb3aae6Copy full SHA for cb3aae6

File tree

23 files changed

+1230

-322

lines changed

CHANGELOG.md
build.gradle.kts
gradle.properties
gradle
- libs.versions.toml
src
- main
  - kotlin/com/coder/toolbox
    - CoderRemoteProvider.kt
    - cli
      - CoderCLIManager.kt
      - downloader
        CoderDownloadApi.kt
        CoderDownloadService.kt
        DownloadResult.kt
      - ex
        Exceptions.kt
      - gpg
        GPGVerifier.kt
        VerificationResult.kt
    - settings
      - ReadOnlyCoderSettings.kt
    - store
      - CoderSettingsStore.kt
      - StoreKeys.kt
    - util
      - OS.kt
      - SemVer.kt
    - views
      - CoderSettingsPage.kt
      - DeploymentUrlStep.kt
  - resources
    - META-INF/trusted-keys
      - pgp-public.key
    - localization
      - defaultMessages.po
- test/kotlin/com/coder/toolbox
  - cli
    - CoderCLIManagerTest.kt
  - store
    - CoderSettingsStoreTest.kt

23 files changed

+1230

-322

lines changed

`‎CHANGELOG.md`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`###Added`
`6`	`6`
`7`	`7`	`- support for matching workspace agent in the URI via the agent name`
	`8`	`+- support for checking if CLI is signed`
`8`	`9`
`9`	`10`	`###Removed`
`10`	`11`

`‎build.gradle.kts`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ dependencies {`
`63`	`63`	`ksp(libs.moshi.codegen)`
`64`	`64`	`implementation(libs.retrofit)`
`65`	`65`	`implementation(libs.retrofit.moshi)`
	`66`	`+ implementation(libs.bundles.bouncycastle)`
`66`	`67`	`testImplementation(kotlin("test"))`
`67`	`68`	`testImplementation(libs.mokk)`
`68`	`69`	`testImplementation(libs.bundles.toolbox.plugin.api)`

`‎gradle.properties`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`		`-version=0.4.0`
	`1`	`+version=0.5.0`
`2`	`2`	`group=com.coder.toolbox`
`3`	`3`	`name=coder-toolbox`

`‎gradle/libs.versions.toml`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ gettext = "0.7.0"`
`16`	`16`	`plugin-structure ="3.310"`
`17`	`17`	`mockk ="1.14.4"`
`18`	`18`	`detekt ="1.23.8"`
	`19`	`+bouncycastle ="1.81"`
`19`	`20`
`20`	`21`	`[libraries]`
`21`	`22`	`toolbox-core-api = {module ="com.jetbrains.toolbox:core-api",version.ref ="toolbox-plugin-api" }`
`@@ -34,10 +35,13 @@ retrofit-moshi = { module = "com.squareup.retrofit2:converter-moshi", version.re`
`34`	`35`	`plugin-structure = {module ="org.jetbrains.intellij.plugins:structure-toolbox",version.ref ="plugin-structure" }`
`35`	`36`	`mokk = {module ="io.mockk:mockk",version.ref ="mockk" }`
`36`	`37`	`marketplace-client = {module ="org.jetbrains.intellij:plugin-repository-rest-client",version.ref ="marketplace-client" }`
	`38`	`+bouncycastle-bcpg = {module ="org.bouncycastle:bcpg-jdk18on",version.ref ="bouncycastle" }`
	`39`	`+bouncycastle-bcprov = {module ="org.bouncycastle:bcprov-jdk18on",version.ref ="bouncycastle" }`
`37`	`40`
`38`	`41`	`[bundles]`
`39`	`42`	`serialization = ["serialization-core","serialization-json","serialization-json-okio"]`
`40`	`43`	`toolbox-plugin-api = ["toolbox-core-api","toolbox-ui-api","toolbox-remote-dev-api"]`
	`44`	`+bouncycastle = ["bouncycastle-bcpg","bouncycastle-bcprov"]`
`41`	`45`
`42`	`46`	`[plugins]`
`43`	`47`	`kotlin = {id ="org.jetbrains.kotlin.jvm",version.ref ="kotlin" }`

`‎src/main/kotlin/com/coder/toolbox/CoderRemoteProvider.kt`

Lines changed: 40 additions & 19 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ import kotlinx.coroutines.launch`
`35`	`35`	`importkotlinx.coroutines.selects.onTimeout`
`36`	`36`	`importkotlinx.coroutines.selects.select`
`37`	`37`	`importjava.net.URI`
	`38`	`+importjava.util.UUID`
`38`	`39`	`importkotlin.coroutines.cancellation.CancellationException`
`39`	`40`	`importkotlin.time.Duration.Companion.seconds`
`40`	`41`	`importkotlin.time.TimeSource`
`@@ -302,31 +303,51 @@ class CoderRemoteProvider(`
`302`	`303`	`* Handle incoming links (like from the dashboard).`
`303`	`304`	`*/`
`304`	`305`	`overridesuspendfunhandleUri(uri:URI) {`
`305`		`- linkHandler.handle(`
`306`		`- uri, shouldDoAutoSetup(),`
`307`		`- {`
`308`		`- coderHeaderPage.isBusyCreatingNewEnvironment.update {`
`309`		`-true`
	`306`	`+try {`
	`307`	`+ linkHandler.handle(`
	`308`	`+ uri, shouldDoAutoSetup(),`
	`309`	`+ {`
	`310`	`+ coderHeaderPage.isBusyCreatingNewEnvironment.update {`
	`311`	`+true`
	`312`	`+ }`
	`313`	`+ },`
	`314`	`+ {`
	`315`	`+ coderHeaderPage.isBusyCreatingNewEnvironment.update {`
	`316`	`+false`
	`317`	`+ }`
`310`	`318`	`}`
`311`		`- },`
`312`		`- {`
`313`		`- coderHeaderPage.isBusyCreatingNewEnvironment.update {`
	`319`	`+ ) { restClient, cli->`
	`320`	`+// stop polling and de-initialize resources`
	`321`	`+ close()`
	`322`	`+ isInitialized.update {`
`314`	`323`	`false`
`315`	`324`	`}`
	`325`	`+// start initialization with the new settings`
	`326`	`+this@CoderRemoteProvider.client= restClient`
	`327`	`+ coderHeaderPage.setTitle(context.i18n.pnotr(restClient.url.toString()))`
	`328`	`+`
	`329`	`+ environments.showLoadingMessage()`
	`330`	`+ pollJob= poll(restClient, cli)`
	`331`	`+ isInitialized.waitForTrue()`
`316`	`332`	`}`
`317`		`- ) { restClient, cli->`
`318`		`-// stop polling and de-initialize resources`
`319`		`- close()`
`320`		`- isInitialized.update {`
	`333`	`+ }catch (ex:Exception) {`
	`334`	`+ context.logger.error(ex,"")`
	`335`	`+val textError=if (exisAPIResponseException) {`
	`336`	`+if (!ex.reason.isNullOrBlank()) {`
	`337`	`+ ex.reason`
	`338`	`+ }else ex.message`
	`339`	`+ }else ex.message`
	`340`	`+`
	`341`	`+ context.ui.showSnackbar(`
	`342`	`+UUID.randomUUID().toString(),`
	`343`	`+ context.i18n.ptrl("Error encountered while handling Coder URI"),`
	`344`	`+ context.i18n.pnotr(textError?:""),`
	`345`	`+ context.i18n.ptrl("Dismiss")`
	`346`	`+ )`
	`347`	`+ }finally {`
	`348`	`+ coderHeaderPage.isBusyCreatingNewEnvironment.update {`
`321`	`349`	`false`
`322`	`350`	`}`
`323`		`-// start initialization with the new settings`
`324`		`-this@CoderRemoteProvider.client= restClient`
`325`		`- coderHeaderPage.setTitle(context.i18n.pnotr(restClient.url.toString()))`
`326`		`-`
`327`		`- environments.showLoadingMessage()`
`328`		`- pollJob= poll(restClient, cli)`
`329`		`- isInitialized.waitForTrue()`
`330`	`351`	`}`
`331`	`352`	`}`
`332`	`353`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitcb3aae6

File tree

23 files changed

23 files changed

`‎CHANGELOG.md`

`‎build.gradle.kts`

`‎gradle.properties`

`‎gradle/libs.versions.toml`

`‎src/main/kotlin/com/coder/toolbox/CoderRemoteProvider.kt`

0 commit comments