Skip to content

Add binary signature verification #558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jul 29, 2025
Merged

Add binary signature verification #558

merged 9 commits into from
Jul 29, 2025
+957 −217

Conversation

code-asher
Copy link
Member

@code-asher code-asher commented Jul 23, 2025
edited
Loading

I extracted the download function (since I needed to reuse it to download signatures) to a separate commit so it is easier to review the signature additions separately, if that is of interest.

This downloads the detached signature from Coder if available or releases.coder.com if not, then verifies the binary using that detached signature and the bundled public key. The check is performed only when the binary is first download.

  • Add option to disable
  • Skip headers when requesting releases.coder.com
  • Tests (for signing, no tests for the UI changes, ideally we get something set up to do that at some point, although we could mock the VS Code APIs in the meantime...)

@code-asher code-asher force-pushed the asher/binary-verification branch 2 times, most recently from 753e955 to 3e18934 Compare July 23, 2025 20:45
@code-asher
Break out download code
63067d0 
The main thing here is to pass in an Axios client instead of the SDK
client since this does not need to make API calls and we will need to
pass a separate client without headers when downloading external
signatures.

Otherwise the structure remains the same.  Some variables are renamed
due to being in a new context and some strings messages are simplified.
@code-asher
Get config once
e903482 
A tiny refactor since I will need to get a third config option.
@code-asher code-asher force-pushed the asher/binary-verification branch 2 times, most recently from 33b14b9 to 18c3c88 Compare July 23, 2025 21:59
@code-asher code-asher force-pushed the asher/binary-verification branch from 18c3c88 to 860b1aa Compare July 23, 2025 22:11
@code-asher code-asher requested a review from aslilac July 23, 2025 22:15
@code-asher
Omit fixtures when packaging
df064f9 
They are not needed, and the packaging step will error that it looks
like you are trying to package secrets due to the test key fixtures.
aslilac
aslilac approved these changes Jul 25, 2025
View reviewed changes
Copy link
Member

@aslilac aslilac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm gonna need you to sign a waiver indicating that you know I'm not a cryptography expert and will not be held responsible for any glaring security issues before you merge this 😝 but it looks good!

@code-asher
Copy link
Member Author

cc @jdomeracki-coder in case you want to take a look, should be similar to the JetBrains plugin but I went with the original flow instead of the checkbox during login since we can have prompts with multiple buttons here.

jdomeracki-coder
jdomeracki-coder approved these changes Jul 29, 2025
View reviewed changes
Copy link

@jdomeracki-coder jdomeracki-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@code-asher code-asher merged commit 5054994 into main Jul 29, 2025
2 checks passed
@code-asher code-asher deleted the asher/binary-verification branch July 29, 2025 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aslilac aslilac aslilac approved these changes

@jdomeracki-coder jdomeracki-coder jdomeracki-coder approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@code-asher @aslilac @jdomeracki-coder
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy