Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

impl: verify cli signature#562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fioan89 merged 11 commits intomainfromimpl-verify-cli-signature
Jul 25, 2025
Merged

impl: verify cli signature#562

fioan89 merged 11 commits intomainfromimpl-verify-cli-signature
Jul 25, 2025

Conversation

fioan89
Copy link
Collaborator

This PR introduces support for verifying the CLI binary using a detached PGP signature. Starting with version 2.24, Coder signs all CLI binaries. For clients using older versions or running Gateway in air-gapped environments, unsigned CLIs can still be executed — but users will have to confirm it each time.

In terms of code changes - the PR includes a big refactor around CLI downloading with most of the code refactored and extracted in various components that provide clean steps and result state in the main download method. Then the pgp verification logic was added on top, with some particularities:

  • the pgp public key is embedded in the plugin as a jar resource
  • we support multiple key rings in the public key
  • the user has the option of running the CLI if no signature was found
  • the signature search has a fallback approach: first we look in the Coder deployment, and then fall back to releases.coder.com to search for the signature if the user allows it.
  • we expect the signature to be under the same relative path as the CLI (we have an option which allows user to pick the CLI from a different source other than the Coder deployment)
  • improved progress reporting while downloading the cli and the signatures

This PR is a backport ofcoder/coder-jetbrains-toolbox#148

github-actions[bot] reacted with thumbs up emoji
This is the key that validates if the gpg signature was tampered
For one thing some method signature changed, some methods are now suspending functionsthat will have to run in a coroutine in the tests. The second big issue is that nowthe download function requests user's input via a dialog
@github-actionsGitHub Actions
Copy link
Contributor

github-actionsbot commentedJul 22, 2025
edited
Loading

Qodana Community for JVM

33 new problems were found

Inspection nameSeverityProblems
Usage of API marked for removal🔴 Failure13
Local 'var' is never modified and can be declared as 'val'🔶 Warning1
Incorrect string capitalization🔶 Warning1
Constant conditions🔶 Warning1
Usage of redundant or deprecated syntax or deprecated symbols🔶 Warning1
Throwable not thrown🔶 Warning1
Redundant nullable return type🔶 Warning1
Unused symbol🔶 Warning1
Convert 'object' to 'data object'◽️ Notice5
Class member can have 'private' visibility◽️ Notice3
String concatenation that can be converted to string template◽️ Notice2
Argument could be converted to 'Set' to improve performance◽️ Notice1
Return or assignment can be lifted out◽️ Notice1
Redundant lambda arrow◽️ Notice1

💡 Qodana analysis was run in the pull request mode: only the changed files were checked

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

  1. Register atQodana Cloud andconfigure the action
  2. UseGitHub Code Scanning with Qodana
  3. HostQodana report at GitHub Pages
  4. Inspect and useqodana.sarif.json (seethe Qodana SARIF format for details)

To get*.log files or any other Qodana artifacts, run the action withupload-result option set totrue,
so that the action will upload the files as the job artifacts:

      -name:'Qodana Scan'uses:JetBrains/qodana-action@v2023.3.2with:upload-result:true
Contact Qodana team

Contact us atqodana-support@jetbrains.com

The signature for windows CLI follows the format: coder-windows-amd64.exe.ascCurrently it is coded to coder-windows-amd64.asc which means the pluginalways fail to find any signature for windows cli
@fioan89fioan89 marked this pull request as ready for reviewJuly 22, 2025 22:46
Copy link
Member

@code-ashercode-asher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Not sure about the URL issue but looks good to me.

This commit rejects any URL that is opaque, not hierarchical, not using http or httpsprotocol, or it misses the hostname.
This commit rejects any URL that is opaque, not hierarchical, not using http or httpsprotocol, or it misses the hostname.
Copy link

@jdomeracki-coderjdomeracki-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Looking good!

@fioan89fioan89 merged commit0164c60 intomainJul 25, 2025
6 checks passed
@fioan89fioan89 deleted the impl-verify-cli-signature branchJuly 25, 2025 18:32
@aaronlehmann
Copy link
Contributor

Is there any setting to disable this new check? We distribute a custom build of the CLI, so this is popping up for all our users and is quite confusing/disruptive.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@jdomeracki-coderjdomeracki-coderjdomeracki-coder approved these changes

@deansheatherdeansheatherAwaiting requested review from deansheather

@f0sself0sselAwaiting requested review from f0ssel

@bcpeinhardtbcpeinhardtAwaiting requested review from bcpeinhardt

@code-ashercode-asherAwaiting requested review from code-asher

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

4 participants
@fioan89@aaronlehmann@code-asher@jdomeracki-coder
[8]ページ先頭
©2009-2025 Movatter.jp