chore: ensure downloaded slim binary version matches server#211
Conversation
matifali commented Jul 31, 2025
Not directly related but @jdomeracki-coder should we also implement binary verification in Coderd Desktop? cc: @deansheather |
ethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 929c831 to 262c4d1Compare| letversion:String | ||
| do{ | ||
| letversionOutput=tryawaitSubprocess.data(for:[binaryPath.path,"version","--output=json"]) |
There was a problem hiding this comment.
Any way to drop privileges for this subprocess? We are root after all...
There was a problem hiding this comment.
This is possible with a combination of launchctl asuser <uid> and sudo -u [<uid>|<username>]:
sudo -u '#501' launchctl asuser 501 /usr/bin/whoami One switches the UID, the other the (macOS specific) execution context.
Unfortunately,
$ sudo -u nobody launchctl asuser -2 /usr/bin/whoami Could not switch to audit session 0x187c3: 1: Operation not permitted does not work, and so we'd need to determine the currently logged in user in some other way.501 is the first created user on the machine, and on corporate devices this will likely be some admin user.
There was a problem hiding this comment.
It's fine to execute it as root if it's too difficult, the signature is still ours so the risk is small
ethanndicksonforce-pushed the ethan/slim-over-dylib branch from e9e15db to c7602c2Compareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 262c4d1 to a7b16eaCompareethanndicksonforce-pushed the ethan/slim-over-dylib branch from c7602c2 to f008801Compareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from a7b16ea to 9695afeCompareethanndicksonforce-pushed the ethan/slim-over-dylib branch from f008801 to 847006fCompareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch 2 times, most recently from c229789 to a723a9aCompareethanndicksonforce-pushed the ethan/slim-over-dylib branch from 847006f to d9255bcCompareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from a723a9a to ffe7d2eCompareethanndicksonforce-pushed the ethan/slim-over-dylib branch from d9255bc to 4f29ff3Compareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from ffe7d2e to ab9ca27Compareethanndicksonforce-pushed the ethan/slim-over-dylib branch from 4f29ff3 to 5840bceCompareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from ab9ca27 to 50e4a63Compareethanndicksonforce-pushed the ethan/slim-over-dylib branch from 5840bce to 3f7f6b6Compare
ethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 50e4a63 to 8fb9382Compareethanndicksonforce-pushed the ethan/slim-over-dylib branch from 3f7f6b6 to 42b8f0bCompareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 8fb9382 to 431149fCompareethanndicksonforce-pushed the ethan/slim-over-dylib branch from 42b8f0b to b716554Compareethanndicksonforce-pushed the ethan/slim-over-dylib branch from b716554 to 02b3369Compareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 431149f to 8fceeabCompareThere was a problem hiding this comment.
Pull Request Overview
This PR enhances the security validation of downloaded Coder CLI binaries by adding version validation and strengthening certificate chain verification. The changes prevent downgrade attacks by ensuring the downloaded binary version matches the server version, and add explicit Apple certificate chain validation.
Key changes:
- Split validation into separate signature and version validation functions
- Add binary version validation by executing
coder version --output=json - Strengthen certificate validation to require Apple-issued certificate chain
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Coder-Desktop/VPNLib/Validate.swift | Refactors validation logic, adds version validation function, and enhances certificate chain requirements |
| Coder-Desktop/Coder-DesktopHelper/Manager.swift | Updates to use new two-step validation process (signature then version) |
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
ethanndicksonforce-pushed the ethan/slim-over-dylib branch from 02b3369 to a4bbf6bCompareethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 8fceeab to 62c3d0aCompareMerge activity
|
ethanndickson changed the base branch from ethan/slim-over-dylib to graphite-base/211
ethanndicksonforce-pushed the ethan/validate-slim-binary-version branch from 62c3d0a to 7c6b9a7Compareethanndickson merged commit b74def3 into mainUh oh!
There was an error while loading. Please reload this page.
3 participants
Relates to #201.
After we've validated the binary signature, we exec
coder version --output=jsonto validate the version of the downloaded binary matches the server. This is done to prevent against downgrade attacks, and to match the checking we had on the dylib before.Additionally, this PR also ensures the certificate used to sign the binary is part of an Apple-issued certificate chain.
I assumed we were checking this before (by default) but we weren't.
Though we weren't previously checking it, we were only ever downloading and executing a dylib.
My understanding is that macOS won't execute a dylib unless the executing process and the dylib were signed by the same Apple developer team (at least in a sandboxed process, as is the Network Extension).
Only now, when
posix_spawning the slim binary from an unsandboxed LaunchDaemon, is this check absolutely necessary.