chore: ensure downloaded slim binary version matches server

ethanndickson · ethanndickson · commit 8fceeab48956 · 2025-08-06T12:20:15.000+10:00
diff --git a/Coder-Desktop/Coder-DesktopHelper/Manager.swift b/Coder-Desktop/Coder-DesktopHelper/Manager.swift
@@ -76,7 +76,8 @@ actor Manager{
 }
 pushProgress(stage: .validating)
 do{
- try Validator.validate(path: dest)
+ try Validator.validateSignature(binaryPath: dest)
+ try await Validator.validateVersion(binaryPath: dest, serverVersion: buildInfo.version)
 } catch{
 // Cleanup unvalid binary
 try? FileManager.default.removeItem(at: dest)
diff --git a/Coder-Desktop/VPNLib/Validate.swift b/Coder-Desktop/VPNLib/Validate.swift
@@ -1,4 +1,5 @@
 import Foundation
+import Subprocess
 
 public enum ValidationError: Error{
 case fileNotFound
@@ -7,7 +8,9 @@ public enum ValidationError: Error{
 case unableToRetrieveSignature
 case invalidIdentifier(identifier: String?)
 case invalidTeamIdentifier(identifier: String?)
- case invalidVersion(version: String?)
+ case unableToReadVersion(any Error)
+ case binaryVersionMismatch(binaryVersion: String, serverVersion: String)
+ case internalError(OSStatus)
 
 public var description: String{
 switch self{
@@ -21,10 +24,14 @@ public enum ValidationError: Error{
 "Unable to retrieve signing information."
 case let .invalidIdentifier(identifier):
 "Invalid identifier: \(identifier ?? "unknown")."
- case let .invalidVersion(version):
- "Invalid runtime version: \(version ?? "unknown")."
+ case let .binaryVersionMismatch(binaryVersion, serverVersion):
+ "Binary version does not match server. Binary: \(binaryVersion), Server: \(serverVersion)."
 case let .invalidTeamIdentifier(identifier):
 "Invalid team identifier: \(identifier ?? "unknown")."
+ case let .unableToReadVersion(error):
+ "Unable to execute the binary to read version: \(error.localizedDescription)"
+ case let .internalError(status):
+ "Internal error with OSStatus code: \(status)."
 }
 }
 
@@ -37,22 +44,32 @@ public class Validator{
 public static let minimumCoderVersion = "2.24.2"
 
 private static let expectedIdentifier = "com.coder.cli"
+ // The Coder team identifier
 private static let expectedTeamIdentifier = "4399GN35BJ"
 
+ // Apple-issued certificate chain
+ public static let anchorRequirement = "anchor apple generic"
+
 private static let signInfoFlags: SecCSFlags = .init(rawValue: kSecCSSigningInformation)
 
- public static func validate(path: URL) throws(ValidationError){
- guard FileManager.default.fileExists(atPath: path.path) else{
+ public static func validateSignature(binaryPath: URL) throws(ValidationError){
+ guard FileManager.default.fileExists(atPath: binaryPath.path) else{
 throw .fileNotFound
 }
 
 var staticCode: SecStaticCode?
- let status = SecStaticCodeCreateWithPath(path as CFURL, SecCSFlags(), &staticCode)
+ let status = SecStaticCodeCreateWithPath(binaryPath as CFURL, SecCSFlags(), &staticCode)
 guard status == errSecSuccess, let code = staticCode else{
 throw .unableToCreateStaticCode
 }
 
- let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), nil)
+ var requirement: SecRequirement?
+ let reqStatus = SecRequirementCreateWithString(anchorRequirement as CFString, SecCSFlags(), &requirement)
+ guard reqStatus == errSecSuccess, let requirement else{
+ throw .internalError(OSStatus(reqStatus))
+ }
+
+ let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), requirement)
 guard validateStatus == errSecSuccess else{
 throw .invalidSignature
 }
@@ -78,6 +95,32 @@ public class Validator{
 }
 }
 
- public static let xpcPeerRequirement = "anchor apple generic" + // Apple-issued certificate chain
+ // This function executes the binary to read its version, and so it assumes
+ // the signature has already been validated.
+ public static func validateVersion(binaryPath: URL, serverVersion: String) async throws(ValidationError){
+ guard FileManager.default.fileExists(atPath: binaryPath.path) else{
+ throw .fileNotFound
+ }
+
+ let version: String
+ do{
+ try chmodX(at: binaryPath)
+ let versionOutput = try await Subprocess.data(for: [binaryPath.path, "version", "--output=json"])
+ let parsed: VersionOutput = try JSONDecoder().decode(VersionOutput.self, from: versionOutput)
+ version = parsed.version
+ } catch{
+ throw .unableToReadVersion(error)
+ }
+
+ guard version == serverVersion else{
+ throw .binaryVersionMismatch(binaryVersion: version, serverVersion: serverVersion)
+ }
+ }
+
+ struct VersionOutput: Codable{
+ let version: String
+ }
+
+ public static let xpcPeerRequirement = anchorRequirement +
 " and certificate leaf[subject.OU] = \"" + expectedTeamIdentifier + "\"" // Signed by the Coder team
 }

-Original file line number
+Diff line change
+}
 pushProgress(stage:.validating)
 do{
 -tryValidator.validate(path: dest)
 +tryValidator.validateSignature(binaryPath: dest)
 +tryawaitValidator.validateVersion(binaryPath: dest, serverVersion: buildInfo.version)
 }catch{
  // Cleanup unvalid binary
 try?FileManager.default.removeItem(at: dest)
-Original file line number
+Diff line change
@@ @@ -1,4 +1,5 @@ @@
 import Foundation
 +import Subprocess
 publicenumValidationError:Error{
 case fileNotFound
 case unableToRetrieveSignature
 case invalidIdentifier(identifier:String?)
 case invalidTeamIdentifier(identifier:String?)
 -case invalidVersion(version:String?)
 +case unableToReadVersion(anyError)
 +case binaryVersionMismatch(binaryVersion:String, serverVersion:String)
 +case internalError(OSStatus)
 publicvardescription:String{
 switchself{
 "Unable to retrieve signing information."
 caselet.invalidIdentifier(identifier):
 "Invalid identifier: \(identifier ??"unknown")."
 -caselet.invalidVersion(version):
 -"Invalid runtime version: \(version ??"unknown")."
 +caselet.binaryVersionMismatch(binaryVersion, serverVersion):
 +"Binary version does not match server. Binary: \(binaryVersion), Server: \(serverVersion)."
 caselet.invalidTeamIdentifier(identifier):
 "Invalid team identifier: \(identifier ??"unknown")."
 +caselet.unableToReadVersion(error):
 +"Unable to execute the binary to read version: \(error.localizedDescription)"
 +caselet.internalError(status):
 +"Internal error with OSStatus code: \(status)."
+}
+}
 publicstaticletminimumCoderVersion="2.24.2"
 privatestaticletexpectedIdentifier="com.coder.cli"
 + // The Coder team identifier
 privatestaticletexpectedTeamIdentifier="4399GN35BJ"
 + // Apple-issued certificate chain
 +publicstaticletanchorRequirement="anchor apple generic"
++
 privatestaticletsignInfoFlags:SecCSFlags=.init(rawValue: kSecCSSigningInformation)
 -publicstaticfuncvalidate(path:URL)throws(ValidationError){
 -guardFileManager.default.fileExists(atPath:path.path)else{
 +publicstaticfuncvalidateSignature(binaryPath:URL)throws(ValidationError){
 +guardFileManager.default.fileExists(atPath:binaryPath.path)else{
 throw.fileNotFound
+}
 varstaticCode:SecStaticCode?
 -letstatus=SecStaticCodeCreateWithPath(pathasCFURL,SecCSFlags(),&staticCode)
 +letstatus=SecStaticCodeCreateWithPath(binaryPathasCFURL,SecCSFlags(),&staticCode)
 guard status == errSecSuccess,let code = staticCode else{
 throw.unableToCreateStaticCode
+}
 -letvalidateStatus=SecStaticCodeCheckValidity(code,SecCSFlags(),nil)
 +varrequirement:SecRequirement?
 +letreqStatus=SecRequirementCreateWithString(anchorRequirement asCFString,SecCSFlags(),&requirement)
 +guard reqStatus == errSecSuccess,let requirement else{
 +throw.internalError(OSStatus(reqStatus))
 +}
++
 +letvalidateStatus=SecStaticCodeCheckValidity(code,SecCSFlags(), requirement)
 guard validateStatus == errSecSuccess else{
 throw.invalidSignature
+}
+}
+}
 -publicstaticletxpcPeerRequirement="anchor apple generic"+ // Apple-issued certificate chain
 + // This function executes the binary to read its version, and so it assumes
 + // the signature has already been validated.
 +publicstaticfunc validateVersion(binaryPath:URL, serverVersion:String)asyncthrows(ValidationError){
 +guardFileManager.default.fileExists(atPath: binaryPath.path)else{
 +throw.fileNotFound
 +}
++
 +letversion:String
 +do{
 +trychmodX(at: binaryPath)
 +letversionOutput=tryawaitSubprocess.data(for:[binaryPath.path,"version","--output=json"])
 +letparsed:VersionOutput=tryJSONDecoder().decode(VersionOutput.self, from: versionOutput)
 + version = parsed.version
 +}catch{
 +throw.unableToReadVersion(error)
 +}
++
 +guard version == serverVersion else{
 +throw.binaryVersionMismatch(binaryVersion: version, serverVersion: serverVersion)
 +}
 +}
++
 +structVersionOutput:Codable{
 +letversion:String
 +}
++
 +publicstaticletxpcPeerRequirement= anchorRequirement +
 " and certificate leaf[subject.OU] = \""+ expectedTeamIdentifier +"\"" // Signed by the Coder team
+}