impl: verify cli signature (#148)

This PR introduces support for verifying the CLI binary using a detached
PGP signature. Starting with version 2.24, Coder signs all CLI binaries.
For clients using older versions or running TBX in air-gapped
environments, unsigned CLIs can still be executed — but users will have
to confirm it each time.

In terms of code changes - the PR includes a big refactor around CLI
downloading with most of the code refactored and extracted in various
components that provide clean steps and result state in the main
download method. Then the pgp verification logic was added on top, with
some particularities:
- the pgp public key is embedded in the plugin as a jar resource
- we support multiple key rings in the public key
- the user has the option of running the CLI if no signature was found
- the signature search has a fallback approach: first we look in the
Coder deployment, and then fall back to releases.coder.com to search for
the signature if the user allows it.
- we expect the signature to be under the same relative path as the CLI
(we have an option which allows user to pick the CLI from a different
source other than the Coder deployment)

Author: fioan89

CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Added
 
 - support for matching workspace agent in the URI via the agent name
+- support for checking if CLI is signed
 
 ### Removed
 

build.gradle.kts

@@ -63,6 +63,7 @@ dependencies {
     ksp(libs.moshi.codegen)
     implementation(libs.retrofit)
     implementation(libs.retrofit.moshi)
+    implementation(libs.bundles.bouncycastle)
     testImplementation(kotlin("test"))
     testImplementation(libs.mokk)
     testImplementation(libs.bundles.toolbox.plugin.api)

gradle.properties

@@ -1,3 +1,3 @@
-version=0.4.0
+version=0.5.0
 group=com.coder.toolbox
 name=coder-toolbox

gradle/libs.versions.toml

@@ -16,6 +16,7 @@ gettext = "0.7.0"
 plugin-structure = "3.310"
 mockk = "1.14.4"
 detekt = "1.23.8"
+bouncycastle = "1.81"
 
 [libraries]
 toolbox-core-api = { module = "com.jetbrains.toolbox:core-api", version.ref = "toolbox-plugin-api" }
@@ -34,10 +35,13 @@ retrofit-moshi = { module = "com.squareup.retrofit2:converter-moshi", version.re
 plugin-structure = { module = "org.jetbrains.intellij.plugins:structure-toolbox", version.ref = "plugin-structure" }
 mokk = { module = "io.mockk:mockk", version.ref = "mockk" }
 marketplace-client = { module = "org.jetbrains.intellij:plugin-repository-rest-client", version.ref = "marketplace-client" }
+bouncycastle-bcpg = { module = "org.bouncycastle:bcpg-jdk18on", version.ref = "bouncycastle" }
+bouncycastle-bcprov = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "bouncycastle" }
 
 [bundles]
 serialization = ["serialization-core", "serialization-json", "serialization-json-okio"]
 toolbox-plugin-api = ["toolbox-core-api", "toolbox-ui-api", "toolbox-remote-dev-api"]
+bouncycastle = ["bouncycastle-bcpg", "bouncycastle-bcprov"]
 
 [plugins]
 kotlin = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }

src/main/kotlin/com/coder/toolbox/CoderRemoteProvider.kt

@@ -35,6 +35,7 @@ import kotlinx.coroutines.launch
 import kotlinx.coroutines.selects.onTimeout
 import kotlinx.coroutines.selects.select
 import java.net.URI
+import java.util.UUID
 import kotlin.coroutines.cancellation.CancellationException
 import kotlin.time.Duration.Companion.seconds
 import kotlin.time.TimeSource
@@ -302,31 +303,51 @@ class CoderRemoteProvider(
      * Handle incoming links (like from the dashboard).
      */
     override suspend fun handleUri(uri: URI) {
-        linkHandler.handle(
-            uri, shouldDoAutoSetup(),
-            {
-                coderHeaderPage.isBusyCreatingNewEnvironment.update {
-                    true
+        try {
+            linkHandler.handle(
+                uri, shouldDoAutoSetup(),
+                {
+                    coderHeaderPage.isBusyCreatingNewEnvironment.update {
+                        true
+                    }
+                },
+                {
+                    coderHeaderPage.isBusyCreatingNewEnvironment.update {
+                        false
+                    }
                 }
-            },
-            {
-                coderHeaderPage.isBusyCreatingNewEnvironment.update {
+            ) { restClient, cli ->
+                // stop polling and de-initialize resources
+                close()
+                isInitialized.update {
                     false
                 }
+                // start initialization with the new settings
+                this@CoderRemoteProvider.client = restClient
+                coderHeaderPage.setTitle(context.i18n.pnotr(restClient.url.toString()))
+
+                environments.showLoadingMessage()
+                pollJob = poll(restClient, cli)
+                isInitialized.waitForTrue()
             }
-        ) { restClient, cli ->
-            // stop polling and de-initialize resources
-            close()
-            isInitialized.update {
+        } catch (ex: Exception) {
+            context.logger.error(ex, "")
+            val textError = if (ex is APIResponseException) {
+                if (!ex.reason.isNullOrBlank()) {
+                    ex.reason
+                } else ex.message
+            } else ex.message
+
+            context.ui.showSnackbar(
+                UUID.randomUUID().toString(),
+                context.i18n.ptrl("Error encountered while handling Coder URI"),
+                context.i18n.pnotr(textError ?: ""),
+                context.i18n.ptrl("Dismiss")
+            )
+        } finally {
+            coderHeaderPage.isBusyCreatingNewEnvironment.update {
                 false
             }
-            // start initialization with the new settings
-            this@CoderRemoteProvider.client = restClient
-            coderHeaderPage.setTitle(context.i18n.pnotr(restClient.url.toString()))
-
-            environments.showLoadingMessage()
-            pollJob = poll(restClient, cli)
-            isInitialized.waitForTrue()
         }
     }