impl: add support for disabling CLI signature verification (#564)

fioan89 · web-flow · commit 0773310775f7 · 2025-07-30T23:12:00.000+03:00
* impl: add new configurable option to disable CLI signature verification

These options are configurable from the Settings page there is no available
shortcut on the main plugin page to discourage the quick disable of CLI verification

* impl: hide configurable fallback if signature verification is disabled

The main plugin screen has a quick shortcut for setting whether the user
wants to fallback on releases.coder.com for signatures if they are not provided by
the main deployment. This checkbox should not be visible if the user wants to disable
signature verification altogether.

* impl: skip signature validation

Signature validation is skipped if the user configured the `disableSignatureVerification` to true.

* chore: update changelog

* chore: next version is 2.22.1

* doc: developer facing documentation for CLI signature verification

* chore: fix UTs
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@
 
 ## Unreleased
 
+### Added
+
+- support for skipping CLI signature verification
+
 ## 2.22.0 - 2025-07-25
 
 ### Added
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -16,6 +16,70 @@ There are three ways to get into a workspace:
 
 Currently the first two will configure SSH but the third does not yet.
 
+## GPG Signature Verification
+
+The Coder Gateway plugin starting with version *2.22.0* implements a comprehensive GPG signature verification system to
+ensure the authenticity and integrity of downloaded Coder CLI binaries. This security feature helps protect users from
+running potentially malicious or tampered binaries.
+
+### How It Works
+
+1. **Binary Download**: When connecting to a Coder deployment, the plugin downloads the appropriate Coder CLI binary for
+   the user's operating system and architecture from the deployment's `/bin/` endpoint.
+
+2. **Signature Download**: After downloading the binary, the plugin attempts to download the corresponding `.asc`
+   signature file from the same location. The signature file is named according to the binary (e.g.,
+   `coder-linux-amd64.asc` for `coder-linux-amd64`).
+
+3. **Fallback Signature Sources**: If the signature is not available from the deployment, the plugin can optionally fall
+   back to downloading signatures from `releases.coder.com`. This is controlled by the `fallbackOnCoderForSignatures`
+   setting.
+
+4. **GPG Verification**: The plugin uses the BouncyCastle library shipped with Gateway app to verify the detached GPG
+   signature against the downloaded binary using Coder's trusted public key.
+
+5. **User Interaction**: If signature verification fails or signatures are unavailable, the plugin presents security
+   warnings
+   to users, allowing them to accept the risk and continue or abort the operation.
+
+### Verification Process
+
+The verification process involves several components:
+
+- **`GPGVerifier`**: Handles the core GPG signature verification logic using BouncyCastle
+- **`VerificationResult`**: Represents the outcome of verification (Valid, Invalid, Failed, SignatureNotFound)
+- **`CoderDownloadService`**: Manages downloading both binaries and their signatures
+- **`CoderCLIManager`**: Orchestrates the download and verification workflow
+
+### Configuration Options
+
+Users can control signature verification behavior through plugin settings:
+
+- **`disableSignatureVerification`**: When enabled, skips all signature verification. This is useful for clients running
+  custom CLI builds, or
+  customers with old deployment versions that don't have a signature published on `releases.coder.com`.
+- **`fallbackOnCoderForSignatures`**: When enabled, allows downloading signatures from `releases.coder.com` if not
+  available from the deployment
+
+### Security Considerations
+
+- The plugin embeds Coder's trusted public key in the plugin resources
+- Verification uses detached signatures, which are more secure than attached signatures
+- Users are warned about security risks when verification fails
+- The system gracefully handles cases where signatures are unavailable
+- All verification failures are logged for debugging purposes
+
+### Error Handling
+
+The system handles various failure scenarios:
+
+- **Missing signatures**: Prompts user to accept risk or abort
+- **Invalid signatures**: Warns user about potential tampering and prompts user to accept risk or abort
+- **Verification failures**: Prompts user to accept risk or abort
+
+This signature verification system ensures that users can trust the Coder CLI binaries they download through the plugin,
+protecting against supply chain attacks and ensuring binary integrity.
+
 ## Development
 
 To manually install a local build:
diff --git a/gradle.properties b/gradle.properties
@@ -5,7 +5,7 @@ pluginGroup=com.coder.gateway
 artifactName=coder-gateway
 pluginName=Coder
 # SemVer format -> https://semver.org
-pluginVersion=2.22.0
+pluginVersion=2.22.1
 # See https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 # for insight into build numbers and IntelliJ Platform versions.
 pluginSinceBuild=243.26574
diff --git a/src/main/kotlin/com/coder/gateway/CoderSettingsConfigurable.kt b/src/main/kotlin/com/coder/gateway/CoderSettingsConfigurable.kt
@@ -8,13 +8,17 @@ import com.intellij.openapi.components.service
 import com.intellij.openapi.options.BoundConfigurable
 import com.intellij.openapi.ui.DialogPanel
 import com.intellij.openapi.ui.ValidationInfo
+import com.intellij.ui.components.JBCheckBox
 import com.intellij.ui.components.JBTextField
 import com.intellij.ui.dsl.builder.AlignX
+import com.intellij.ui.dsl.builder.Cell
 import com.intellij.ui.dsl.builder.RowLayout
 import com.intellij.ui.dsl.builder.bindSelected
 import com.intellij.ui.dsl.builder.bindText
 import com.intellij.ui.dsl.builder.panel
+import com.intellij.ui.dsl.builder.selected
 import com.intellij.ui.layout.ValidationInfoBuilder
+import com.intellij.ui.layout.not
 import java.net.URL
 import java.nio.file.Path
 
@@ -60,22 +64,27 @@ class CoderSettingsConfigurable : BoundConfigurable("Coder") {
                     .bindText(state::binaryDirectory)
                     .comment(CoderGatewayBundle.message("gateway.connector.settings.binary-destination.comment"))
             }.layout(RowLayout.PARENT_GRID)
-            row {
-                cell() // For alignment.
-                checkBox(CoderGatewayBundle.message("gateway.connector.settings.enable-binary-directory-fallback.title"))
-                    .bindSelected(state::enableBinaryDirectoryFallback)
-                    .comment(
-                        CoderGatewayBundle.message("gateway.connector.settings.enable-binary-directory-fallback.comment"),
-                    )
-            }.layout(RowLayout.PARENT_GRID)
-            row {
-                cell() // For alignment.
-                checkBox(CoderGatewayBundle.message("gateway.connector.settings.fallback-on-coder-for-signatures.title"))
-                    .bindSelected(state::fallbackOnCoderForSignatures)
-                    .comment(
-                        CoderGatewayBundle.message("gateway.connector.settings.fallback-on-coder-for-signatures.comment"),
-                    )
-            }.layout(RowLayout.PARENT_GRID)
+            group {
+                lateinit var signatureVerificationCheckBox: Cell<JBCheckBox>
+                row {
+                    cell() // For alignment.
+                    signatureVerificationCheckBox =
+                        checkBox(CoderGatewayBundle.message("gateway.connector.settings.disable-signature-validation.title"))
+                            .bindSelected(state::disableSignatureVerification)
+                            .comment(
+                                CoderGatewayBundle.message("gateway.connector.settings.disable-signature-validation.comment"),
+                            )
+                }.layout(RowLayout.PARENT_GRID)
+                row {
+                    cell() // For alignment.
+                    checkBox(CoderGatewayBundle.message("gateway.connector.settings.fallback-on-coder-for-signatures.title"))
+                        .bindSelected(state::fallbackOnCoderForSignatures)
+                        .comment(
+                            CoderGatewayBundle.message("gateway.connector.settings.fallback-on-coder-for-signatures.comment"),
+                        )
+                }.visibleIf(signatureVerificationCheckBox.selected.not())
+                    .layout(RowLayout.PARENT_GRID)
+            }
             row(CoderGatewayBundle.message("gateway.connector.settings.header-command.title")) {
                 textField().resizableColumn().align(AlignX.FILL)
                     .bindText(state::headerCommand)
@@ -122,7 +131,10 @@ class CoderSettingsConfigurable : BoundConfigurable("Coder") {
                 textArea().resizableColumn().align(AlignX.FILL)
                     .bindText(state::sshConfigOptions)
                     .comment(
-                        CoderGatewayBundle.message("gateway.connector.settings.ssh-config-options.comment", CODER_SSH_CONFIG_OPTIONS),
+                        CoderGatewayBundle.message(
+                            "gateway.connector.settings.ssh-config-options.comment",
+                            CODER_SSH_CONFIG_OPTIONS
+                        ),
                     )
             }.layout(RowLayout.PARENT_GRID)
             row(CoderGatewayBundle.message("gateway.connector.settings.setup-command.title")) {
@@ -162,7 +174,7 @@ class CoderSettingsConfigurable : BoundConfigurable("Coder") {
                     .bindText(state::defaultIde)
                     .comment(
                         "The default IDE version to display in the IDE selection dropdown. " +
-                            "Example format: CL 2023.3.6 233.15619.8",
+                                "Example format: CL 2023.3.6 233.15619.8",
                     )
             }
             row(CoderGatewayBundle.message("gateway.connector.settings.check-ide-updates.heading")) {
diff --git a/src/main/kotlin/com/coder/gateway/cli/CoderCLIManager.kt b/src/main/kotlin/com/coder/gateway/cli/CoderCLIManager.kt
@@ -174,6 +174,11 @@ class CoderCLIManager(
                     else -> result as DownloadResult.Downloaded
                 }
             }
+            if (settings.disableSignatureVerification) {
+                downloader.commit()
+                logger.info("Skipping over CLI signature verification, it is disabled by the user")
+                return true
+            }
 
             var signatureResult = withContext(Dispatchers.IO) {
                 downloader.downloadSignature(showTextProgress)
diff --git a/src/main/kotlin/com/coder/gateway/settings/CoderSettings.kt b/src/main/kotlin/com/coder/gateway/settings/CoderSettings.kt
@@ -65,7 +65,12 @@ open class CoderSettingsState(
     open var enableBinaryDirectoryFallback: Boolean = false,
 
     /**
-     * Controls whether we fall back release.coder.com
+     * Controls whether we verify the cli signature
+     */
+    open var disableSignatureVerification: Boolean = false,
+
+    /**
+     * Controls whether we fall back release.coder.com if signature validation is enabled
      */
     open var fallbackOnCoderForSignatures: Boolean = false,
 
@@ -109,7 +114,7 @@ open class CoderSettingsState(
     // Default version of IDE to display in IDE selection dropdown
     open var defaultIde: String = "",
     // Whether to check for IDE updates.
-    open var checkIDEUpdates: Boolean = true,
+    open var checkIDEUpdates: Boolean = true
 )
 
 /**
@@ -137,7 +142,7 @@ open class CoderSettings(
     // Overrides the default environment (for tests).
     private val env: Environment = Environment(),
     // Overrides the default binary name (for tests).
-    private val binaryName: String? = null,
+    private val binaryName: String? = null
 ) {
     val tls = CoderTLSSettings(state)
 
@@ -160,6 +165,12 @@ open class CoderSettings(
     val enableBinaryDirectoryFallback: Boolean
         get() = state.enableBinaryDirectoryFallback
 
+    /**
+     * Controls whether we verify the cli signature
+     */
+    val disableSignatureVerification: Boolean
+        get() = state.disableSignatureVerification
+
     /**
      * Controls whether we fall back release.coder.com
      */
diff --git a/src/main/kotlin/com/coder/gateway/views/steps/CoderWorkspacesStepView.kt b/src/main/kotlin/com/coder/gateway/views/steps/CoderWorkspacesStepView.kt
@@ -306,7 +306,7 @@ class CoderWorkspacesStepView :
                         CoderGatewayBundle.message("gateway.connector.settings.fallback-on-coder-for-signatures.comment"),
                     )
 
-            }.layout(RowLayout.PARENT_GRID)
+            }.visible(state.disableSignatureVerification.not()).layout(RowLayout.PARENT_GRID)
             row {
                 scrollCell(
                     toolbar.createPanel().apply {
diff --git a/src/main/resources/messages/CoderGatewayBundle.properties b/src/main/resources/messages/CoderGatewayBundle.properties
@@ -75,10 +75,10 @@ gateway.connector.settings.enable-binary-directory-fallback.title=Fall back to d
 gateway.connector.settings.enable-binary-directory-fallback.comment=Checking this \
   box will allow the plugin to fall back to the data directory when the CLI \
   directory is not writable.
-
+gateway.connector.settings.disable-signature-validation.title=Disable Coder CLI signature verification
+gateway.connector.settings.disable-signature-validation.comment=Useful if you run an unsigned fork for the binary
 gateway.connector.settings.fallback-on-coder-for-signatures.title=Fall back on releases.coder.com for signatures
 gateway.connector.settings.fallback-on-coder-for-signatures.comment=Verify binary signature using releases.coder.com when CLI signatures are not available from the deployment
-
 gateway.connector.settings.header-command.title=Header command
 gateway.connector.settings.header-command.comment=An external command that \
   outputs additional HTTP headers added to all requests. The command must \
diff --git a/src/test/kotlin/com/coder/gateway/cli/CoderCLIManagerTest.kt b/src/test/kotlin/com/coder/gateway/cli/CoderCLIManagerTest.kt
@@ -124,7 +124,7 @@ internal class CoderCLIManagerTest {
             CoderSettings(
                 CoderSettingsState(
                     dataDirectory = tmpdir.resolve("cli-data-dir").toString(),
-                    binaryDirectory = tmpdir.resolve("cli-bin-dir").toString(),
+                    binaryDirectory = tmpdir.resolve("cli-bin-dir").toString()
                 ),
             )
         val url = URL("http://localhost")
diff --git a/src/test/kotlin/com/coder/gateway/sdk/CoderRestClientTest.kt b/src/test/kotlin/com/coder/gateway/sdk/CoderRestClientTest.kt
@@ -229,31 +229,44 @@ class CoderRestClientTest {
                 // Nothing, so no resources.
                 emptyList(),
                 // One workspace with an agent, but no resources.
-                listOf(TestWorkspace(DataGen.workspace("ws1", agents = mapOf("agent1" to "3f51da1d-306f-4a40-ac12-62bda5bc5f9a")))),
+                listOf(
+                    TestWorkspace(
+                        DataGen.workspace(
+                            "ws1",
+                            agents = mapOf("agent1" to "3f51da1d-306f-4a40-ac12-62bda5bc5f9a")
+                        )
+                    )
+                ),
                 // One workspace with an agent and resources that do not match the agent.
                 listOf(
                     TestWorkspace(
-                        workspace = DataGen.workspace("ws1", agents = mapOf("agent1" to "3f51da1d-306f-4a40-ac12-62bda5bc5f9a")),
-                        resources =
-                        listOf(
-                            DataGen.resource("agent2", "968eea5e-8787-439d-88cd-5bc440216a34"),
-                            DataGen.resource("agent3", "72fbc97b-952c-40c8-b1e5-7535f4407728"),
+                        workspace = DataGen.workspace(
+                            "ws1",
+                            agents = mapOf("agent1" to "3f51da1d-306f-4a40-ac12-62bda5bc5f9a")
                         ),
+                        resources =
+                            listOf(
+                                DataGen.resource("agent2", "968eea5e-8787-439d-88cd-5bc440216a34"),
+                                DataGen.resource("agent3", "72fbc97b-952c-40c8-b1e5-7535f4407728"),
+                            ),
                     ),
                 ),
                 // Multiple workspaces but only one has resources.
                 listOf(
                     TestWorkspace(
-                        workspace = DataGen.workspace("ws1", agents = mapOf("agent1" to "3f51da1d-306f-4a40-ac12-62bda5bc5f9a")),
+                        workspace = DataGen.workspace(
+                            "ws1",
+                            agents = mapOf("agent1" to "3f51da1d-306f-4a40-ac12-62bda5bc5f9a")
+                        ),
                         resources = emptyList(),
                     ),
                     TestWorkspace(
                         workspace = DataGen.workspace("ws2"),
                         resources =
-                        listOf(
-                            DataGen.resource("agent2", "968eea5e-8787-439d-88cd-5bc440216a34"),
-                            DataGen.resource("agent3", "72fbc97b-952c-40c8-b1e5-7535f4407728"),
-                        ),
+                            listOf(
+                                DataGen.resource("agent2", "968eea5e-8787-439d-88cd-5bc440216a34"),
+                                DataGen.resource("agent3", "72fbc97b-952c-40c8-b1e5-7535f4407728"),
+                            ),
                     ),
                     TestWorkspace(
                         workspace = DataGen.workspace("ws3"),
@@ -272,7 +285,8 @@ class CoderRestClientTest {
                     val matches = resourceEndpoint.find(exchange.requestURI.path)
                     if (matches != null) {
                         val templateVersionId = UUID.fromString(matches.destructured.toList()[0])
-                        val ws = workspaces.firstOrNull { it.workspace.latestBuild.templateVersionID == templateVersionId }
+                        val ws =
+                            workspaces.firstOrNull { it.workspace.latestBuild.templateVersionID == templateVersionId }
                         if (ws != null) {
                             val body =
                                 moshi.adapter<List<WorkspaceResource>>(
@@ -326,7 +340,8 @@ class CoderRestClientTest {
                 val buildMatch = buildEndpoint.find(exchange.requestURI.path)
                 if (buildMatch != null) {
                     val workspaceId = UUID.fromString(buildMatch.destructured.toList()[0])
-                    val json = moshi.adapter(CreateWorkspaceBuildRequest::class.java).fromJson(exchange.requestBody.source().buffer())
+                    val json = moshi.adapter(CreateWorkspaceBuildRequest::class.java)
+                        .fromJson(exchange.requestBody.source().buffer())
                     if (json == null) {
                         val response = Response("No body", "No body for create workspace build request")
                         val body = moshi.adapter(Response::class.java).toJson(response).toByteArray()
@@ -396,8 +411,8 @@ class CoderRestClientTest {
             CoderSettings(
                 CoderSettingsState(
                     tlsCAPath = Path.of("src/test/fixtures/tls", "self-signed.crt").toString(),
-                    tlsAlternateHostname = "localhost",
-                ),
+                    tlsAlternateHostname = "localhost"
+                )
             )
         val user = DataGen.user()
         val (srv, url) = mockTLSServer("self-signed")
@@ -422,8 +437,8 @@ class CoderRestClientTest {
             CoderSettings(
                 CoderSettingsState(
                     tlsCAPath = Path.of("src/test/fixtures/tls", "self-signed.crt").toString(),
-                    tlsAlternateHostname = "fake.example.com",
-                ),
+                    tlsAlternateHostname = "fake.example.com"
+                )
             )
         val (srv, url) = mockTLSServer("self-signed")
         val client = CoderRestClient(URL(url), "token", settings)
@@ -441,8 +456,8 @@ class CoderRestClientTest {
         val settings =
             CoderSettings(
                 CoderSettingsState(
-                    tlsCAPath = Path.of("src/test/fixtures/tls", "self-signed.crt").toString(),
-                ),
+                    tlsCAPath = Path.of("src/test/fixtures/tls", "self-signed.crt").toString()
+                )
             )
         val (srv, url) = mockTLSServer("no-signing")
         val client = CoderRestClient(URL(url), "token", settings)
@@ -461,7 +476,7 @@ class CoderRestClientTest {
             CoderSettings(
                 CoderSettingsState(
                     tlsCAPath = Path.of("src/test/fixtures/tls", "chain-root.crt").toString(),
-                ),
+                )
             )
         val user = DataGen.user()
         val (srv, url) = mockTLSServer("chain")
@@ -505,7 +520,8 @@ class CoderRestClientTest {
                     "bar",
                     true,
                     object : ProxySelector() {
-                        override fun select(uri: URI): List<Proxy> = listOf(Proxy(Proxy.Type.HTTP, InetSocketAddress("localhost", srv2.address.port)))
+                        override fun select(uri: URI): List<Proxy> =
+                            listOf(Proxy(Proxy.Type.HTTP, InetSocketAddress("localhost", srv2.address.port)))
 
                         override fun connectFailed(
                             uri: URI,
diff --git a/src/test/kotlin/com/coder/gateway/settings/CoderSettingsTest.kt b/src/test/kotlin/com/coder/gateway/settings/CoderSettingsTest.kt

Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,11 @@ class CoderCLIManager(`
`174`	`174`	`else -> result as DownloadResult.Downloaded`
`175`	`175`	`}`
`176`	`176`	`}`
	`177`	`+ if (settings.disableSignatureVerification) {`
	`178`	`+ downloader.commit()`
	`179`	`+ logger.info("Skipping over CLI signature verification, it is disabled by the user")`
	`180`	`+ return true`
	`181`	`+ }`
`177`	`182`
`178`	`183`	`var signatureResult = withContext(Dispatchers.IO) {`
`179`	`184`	`downloader.downloadSignature(showTextProgress)`
Original file line number	Diff line number	Diff line change
`@@ -306,7 +306,7 @@ class CoderWorkspacesStepView :`
`306`	`306`	`CoderGatewayBundle.message("gateway.connector.settings.fallback-on-coder-for-signatures.comment"),`
`307`	`307`	`)`
`308`	`308`
`309`		`- }.layout(RowLayout.PARENT_GRID)`
	`309`	`+ }.visible(state.disableSignatureVerification.not()).layout(RowLayout.PARENT_GRID)`
`310`	`310`	`row {`
`311`	`311`	`scrollCell(`
`312`	`312`	`toolbar.createPanel().apply {`
Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ internal class CoderCLIManagerTest {`
`124`	`124`	`CoderSettings(`
`125`	`125`	`CoderSettingsState(`
`126`	`126`	`dataDirectory = tmpdir.resolve("cli-data-dir").toString(),`
`127`		`- binaryDirectory = tmpdir.resolve("cli-bin-dir").toString(),`
	`127`	`+ binaryDirectory = tmpdir.resolve("cli-bin-dir").toString()`
`128`	`128`	`),`
`129`	`129`	`)`
`130`	`130`	`val url = URL("http://localhost")`