fix: add code signing requirements to xpc connections

Author: ethanndickson

Coder-Desktop/Coder-Desktop/AppHelperXPCClient.swift

@@ -37,6 +37,7 @@ import VPNLib
  _ =self.connect()
 }
  logger.info("connecting to \(helperAppMachServiceName)")
+ connection.setCodeSigningRequirement(SignatureValidator.xpcPeerRequirement)
  connection.resume()
 self.connection = connection
 return connection

Coder-Desktop/Coder-DesktopHelper/HelperXPCListeners.swift

@@ -32,6 +32,7 @@ class HelperNEXPCServer: NSObject, NSXPCListenerDelegate, @unchecked Sendable{
  conns.removeAll{ $0 == newConnection }
  logger.debug("connection interrupted")
 }
+ newConnection.setCodeSigningRequirement(SignatureValidator.xpcPeerRequirement)
  newConnection.resume()
  conns.append(newConnection)
 returntrue
@@ -145,6 +146,7 @@ class HelperAppXPCServer: NSObject, NSXPCListenerDelegate, @unchecked Sendable{
  conns.removeAll{ $0 == newConnection }
  logger.debug("app connection invalidated")
 }
+ newConnection.setCodeSigningRequirement(SignatureValidator.xpcPeerRequirement)
  newConnection.resume()
  conns.append(newConnection)
 returntrue

Coder-Desktop/VPN/NEHelperXPCClient.swift

@@ -29,6 +29,7 @@ final class HelperXPCClient: @unchecked Sendable{
  connection.interruptionHandler ={[weak self]in
 self?.connection =nil
 }
+ connection.setCodeSigningRequirement(SignatureValidator.xpcPeerRequirement)
  connection.resume()
 self.connection = connection
 return connection

Coder-Desktop/VPNLib/Download.swift

@@ -1,130 +1,6 @@
 import CryptoKit
 import Foundation
 
-publicenumValidationError:Error{
-case fileNotFound
-case unableToCreateStaticCode
-case invalidSignature
-case unableToRetrieveInfo
-case invalidIdentifier(identifier:String?)
-case invalidTeamIdentifier(identifier:String?)
-case missingInfoPList
-case invalidVersion(version:String?)
-case belowMinimumCoderVersion
-
-publicvardescription:String{
-switchself{
-case.fileNotFound:
-"The file does not exist."
-case.unableToCreateStaticCode:
-"Unable to create a static code object."
-case.invalidSignature:
-"The file's signature is invalid."
-case.unableToRetrieveInfo:
-"Unable to retrieve signing information."
-caselet.invalidIdentifier(identifier):
-"Invalid identifier: \(identifier ??"unknown")."
-caselet.invalidVersion(version):
-"Invalid runtime version: \(version ??"unknown")."
-caselet.invalidTeamIdentifier(identifier):
-"Invalid team identifier: \(identifier ??"unknown")."
-case.missingInfoPList:
-"Info.plist is not embedded within the dylib."
-case.belowMinimumCoderVersion:
-"""
- The Coder deployment must be version \(SignatureValidator.minimumCoderVersion)
- or higher to use Coder Desktop.
-"""
-}
-}
-
-publicvarlocalizedDescription:String{ description }
-}
-
-publicclassSignatureValidator{
- // Whilst older dylibs exist, this app assumes v2.20 or later.
-publicstaticletminimumCoderVersion="2.20.0"
-
-privatestaticletexpectedName="CoderVPN"
-privatestaticletexpectedIdentifier="com.coder.Coder-Desktop.VPN.dylib"
-privatestaticletexpectedTeamIdentifier="4399GN35BJ"
-
-privatestaticletinfoIdentifierKey="CFBundleIdentifier"
-privatestaticletinfoNameKey="CFBundleName"
-privatestaticletinfoShortVersionKey="CFBundleShortVersionString"
-
-privatestaticletsignInfoFlags:SecCSFlags=.init(rawValue: kSecCSSigningInformation)
-
- // `expectedVersion` must be of the form `[0-9]+.[0-9]+.[0-9]+`
-publicstaticfunc validate(path:URL, expectedVersion:String)throws(ValidationError){
-guardFileManager.default.fileExists(atPath: path.path)else{
-throw.fileNotFound
-}
-
-varstaticCode:SecStaticCode?
-letstatus=SecStaticCodeCreateWithPath(path asCFURL,SecCSFlags(),&staticCode)
-guard status == errSecSuccess,let code = staticCode else{
-throw.unableToCreateStaticCode
-}
-
-letvalidateStatus=SecStaticCodeCheckValidity(code,SecCSFlags(),nil)
-guard validateStatus == errSecSuccess else{
-throw.invalidSignature
-}
-
-varinformation:CFDictionary?
-letinfoStatus=SecCodeCopySigningInformation(code, signInfoFlags,&information)
-guard infoStatus == errSecSuccess,let info = information as?[String:Any]else{
-throw.unableToRetrieveInfo
-}
-
-guardlet identifier =info[kSecCodeInfoIdentifier asString]as?String,
- identifier == expectedIdentifier
-else{
-throw.invalidIdentifier(identifier:info[kSecCodeInfoIdentifier asString]as?String)
-}
-
-guardlet teamIdentifier =info[kSecCodeInfoTeamIdentifier asString]as?String,
- teamIdentifier == expectedTeamIdentifier
-else{
-throw.invalidTeamIdentifier(
- identifier:info[kSecCodeInfoTeamIdentifier asString]as?String
-)
-}
-
-guardlet infoPlist =info[kSecCodeInfoPList asString]as?[String:AnyObject]else{
-throw.missingInfoPList
-}
-
-tryvalidateInfo(infoPlist: infoPlist, expectedVersion: expectedVersion)
-}
-
-privatestaticfunc validateInfo(infoPlist:[String:AnyObject], expectedVersion:String)throws(ValidationError){
-guardlet plistIdent =infoPlist[infoIdentifierKey]as?String, plistIdent == expectedIdentifier else{
-throw.invalidIdentifier(identifier:infoPlist[infoIdentifierKey]as?String)
-}
-
-guardlet plistName =infoPlist[infoNameKey]as?String, plistName == expectedName else{
-throw.invalidIdentifier(identifier:infoPlist[infoNameKey]as?String)
-}
-
- // Downloaded dylib must match the version of the server
-guardlet dylibVersion =infoPlist[infoShortVersionKey]as?String,
- expectedVersion == dylibVersion
-else{
-throw.invalidVersion(version:infoPlist[infoShortVersionKey]as?String)
-}
-
- // Downloaded dylib must be at least the minimum Coder server version
-guardlet dylibVersion =infoPlist[infoShortVersionKey]as?String,
- // x.compare(y) is .orderedDescending if x > y
- minimumCoderVersion.compare(dylibVersion, options:.numeric)!=.orderedDescending
-else{
-throw.belowMinimumCoderVersion
-}
-}
-}
-
 publicfunc download(
  src:URL,
  dest:URL,

Coder-Desktop/VPNLib/Validate.swift

@@ -0,0 +1,128 @@
+import Foundation
+
+publicenumValidationError:Error{
+case fileNotFound
+case unableToCreateStaticCode
+case invalidSignature
+case unableToRetrieveInfo
+case invalidIdentifier(identifier:String?)
+case invalidTeamIdentifier(identifier:String?)
+case missingInfoPList
+case invalidVersion(version:String?)
+case belowMinimumCoderVersion
+
+publicvardescription:String{
+switchself{
+case.fileNotFound:
+"The file does not exist."
+case.unableToCreateStaticCode:
+"Unable to create a static code object."
+case.invalidSignature:
+"The file's signature is invalid."
+case.unableToRetrieveInfo:
+"Unable to retrieve signing information."
+caselet.invalidIdentifier(identifier):
+"Invalid identifier: \(identifier ??"unknown")."
+caselet.invalidVersion(version):
+"Invalid runtime version: \(version ??"unknown")."
+caselet.invalidTeamIdentifier(identifier):
+"Invalid team identifier: \(identifier ??"unknown")."
+case.missingInfoPList:
+"Info.plist is not embedded within the dylib."
+case.belowMinimumCoderVersion:
+"""
+ The Coder deployment must be version \(SignatureValidator.minimumCoderVersion)
+ or higher to use Coder Desktop.
+"""
+}
+}
+
+publicvarlocalizedDescription:String{ description }
+}
+
+publicclassSignatureValidator{
+ // Whilst older dylibs exist, this app assumes v2.20 or later.
+publicstaticletminimumCoderVersion="2.20.0"
+
+privatestaticletexpectedName="CoderVPN"
+privatestaticletexpectedIdentifier="com.coder.Coder-Desktop.VPN.dylib"
+privatestaticletexpectedTeamIdentifier="4399GN35BJ"
+
+privatestaticletinfoIdentifierKey="CFBundleIdentifier"
+privatestaticletinfoNameKey="CFBundleName"
+privatestaticletinfoShortVersionKey="CFBundleShortVersionString"
+
+privatestaticletsignInfoFlags:SecCSFlags=.init(rawValue: kSecCSSigningInformation)
+
+ // `expectedVersion` must be of the form `[0-9]+.[0-9]+.[0-9]+`
+publicstaticfunc validate(path:URL, expectedVersion:String)throws(ValidationError){
+guardFileManager.default.fileExists(atPath: path.path)else{
+throw.fileNotFound
+}
+
+varstaticCode:SecStaticCode?
+letstatus=SecStaticCodeCreateWithPath(path asCFURL,SecCSFlags(),&staticCode)
+guard status == errSecSuccess,let code = staticCode else{
+throw.unableToCreateStaticCode
+}
+
+letvalidateStatus=SecStaticCodeCheckValidity(code,SecCSFlags(),nil)
+guard validateStatus == errSecSuccess else{
+throw.invalidSignature
+}
+
+varinformation:CFDictionary?
+letinfoStatus=SecCodeCopySigningInformation(code, signInfoFlags,&information)
+guard infoStatus == errSecSuccess,let info = information as?[String:Any]else{
+throw.unableToRetrieveInfo
+}
+
+guardlet identifier =info[kSecCodeInfoIdentifier asString]as?String,
+ identifier == expectedIdentifier
+else{
+throw.invalidIdentifier(identifier:info[kSecCodeInfoIdentifier asString]as?String)
+}
+
+guardlet teamIdentifier =info[kSecCodeInfoTeamIdentifier asString]as?String,
+ teamIdentifier == expectedTeamIdentifier
+else{
+throw.invalidTeamIdentifier(
+ identifier:info[kSecCodeInfoTeamIdentifier asString]as?String
+)
+}
+
+guardlet infoPlist =info[kSecCodeInfoPList asString]as?[String:AnyObject]else{
+throw.missingInfoPList
+}
+
+tryvalidateInfo(infoPlist: infoPlist, expectedVersion: expectedVersion)
+}
+
+publicstaticletxpcPeerRequirement="anchor apple generic"+ // Apple-issued certificate chain
+" and certificate leaf[subject.OU] = \""+ expectedTeamIdentifier +"\"" // Signed by the Coder team
+
+privatestaticfunc validateInfo(infoPlist:[String:AnyObject], expectedVersion:String)throws(ValidationError){
+guardlet plistIdent =infoPlist[infoIdentifierKey]as?String, plistIdent == expectedIdentifier else{
+throw.invalidIdentifier(identifier:infoPlist[infoIdentifierKey]as?String)
+}
+
+guardlet plistName =infoPlist[infoNameKey]as?String, plistName == expectedName else{
+throw.invalidIdentifier(identifier:infoPlist[infoNameKey]as?String)
+}
+
+ // Downloaded dylib must match the version of the server
+guardlet dylibVersion =infoPlist[infoShortVersionKey]as?String,
+ expectedVersion == dylibVersion
+else{
+throw.invalidVersion(version:infoPlist[infoShortVersionKey]as?String)
+}
+
+ // Downloaded dylib must be at least the minimum Coder server version
+guardlet dylibVersion =infoPlist[infoShortVersionKey]as?String,
+ // x.compare(y) is .orderedDescending if x > y
+ minimumCoderVersion.compare(dylibVersion, options:.numeric)!=.orderedDescending
+else{
+throw.belowMinimumCoderVersion
+}
+}
+}