impl: verify gpg signed cli binaries

Adds logic to verify the CLI against a detached GPG signature with the help of bouncycastle library

Author: fioan89

src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt

@@ -7,6 +7,9 @@ import com.coder.toolbox.cli.downloader.DownloadResult.Downloaded
 import com.coder.toolbox.cli.ex.MissingVersionException
 import com.coder.toolbox.cli.ex.SSHConfigFormatException
 import com.coder.toolbox.cli.ex.UnsignedBinaryExecutionDeniedException
+import com.coder.toolbox.cli.gpg.GPGVerifier
+import com.coder.toolbox.cli.gpg.VerificationResult.Failed
+import com.coder.toolbox.cli.gpg.VerificationResult.Invalid
 import com.coder.toolbox.sdk.v2.models.Workspace
 import com.coder.toolbox.sdk.v2.models.WorkspaceAgent
 import com.coder.toolbox.util.CoderHostnameVerifier
@@ -132,6 +135,7 @@ class CoderCLIManager(
     private val forceDownloadToData: Boolean = false,
 ) {
     private val downloader = createDownloadService()
+    private val gpgVerifier = GPGVerifier(context)
 
     val remoteBinaryURL: URL = context.settingsStore.binSource(deploymentURL)
     val localBinaryPath: Path = context.settingsStore.binPath(deploymentURL, forceDownloadToData)
@@ -169,20 +173,20 @@ class CoderCLIManager(
             }
         }
 
-        var signatureDownloadResult = withContext(Dispatchers.IO) {
+        var signatureResult = withContext(Dispatchers.IO) {
             downloader.downloadSignature(showTextProgress)
         }
 
-        if (signatureDownloadResult.isNotDownloaded()) {
+        if (signatureResult.isNotDownloaded()) {
             context.logger.info("Trying to download signature file from releases.coder.com")
-            signatureDownloadResult = withContext(Dispatchers.IO) {
+            signatureResult = withContext(Dispatchers.IO) {
                 downloader.downloadReleasesSignature(showTextProgress)
             }
         }
 
         // if we could not find any signature and the user wants to explicitly
         // confirm whether we run an unsigned cli
-        if (signatureDownloadResult.isNotDownloaded()) {
+        if (signatureResult.isNotDownloaded()) {
             if (context.settingsStore.allowUnsignedBinaryWithoutPrompt) {
                 context.logger.warn("Running unsigned CLI from ${cliResult.source}")
             } else {
@@ -196,15 +200,30 @@ class CoderCLIManager(
                 if (acceptsUnsignedBinary) {
                     return true
                 } else {
-                    // remove the cli, otherwise next time the user tries to login the cached cli is picked up
+                    // remove the cli, otherwise next time the user tries to login the cached cli is picked up,
                     // and we don't verify cached cli signatures
                     Files.delete(cliResult.dst)
                     throw UnsignedBinaryExecutionDeniedException("Running unsigned CLI from ${cliResult.source} was denied by the user")
                 }
             }
         }
 
-        return cliResult.isDownloaded()
+        // we have the cli, and signature is downloaded, let's verify the signature
+        signatureResult = signatureResult as Downloaded
+        gpgVerifier.verifySignature(cliResult.dst, signatureResult.dst).let { result ->
+            when {
+                result.isValid() -> return true
+                result.isInvalid() -> {
+                    val reason = (result as Invalid).reason
+                    throw UnsignedBinaryExecutionDeniedException(
+                        "Signature of ${cliResult.dst} is invalid." + reason?.let { " Reason: $it" }.orEmpty()
+                    )
+                }
+
+                result.signatureIsNotFound() -> throw UnsignedBinaryExecutionDeniedException("Can't verify signature of ${cliResult.dst} because ${signatureResult.dst} does not exist")
+                else -> throw UnsignedBinaryExecutionDeniedException((result as Failed).error.message)
+            }
+        }
     }
 
     /**

src/main/kotlin/com/coder/toolbox/cli/ex/Exceptions.kt

@@ -6,4 +6,4 @@ class SSHConfigFormatException(message: String) : Exception(message)
 
 class MissingVersionException(message: String) : Exception(message)
 
-class UnsignedBinaryExecutionDeniedException(message: String) : Exception(message)
+class UnsignedBinaryExecutionDeniedException(message: String?) : Exception(message)

src/main/kotlin/com/coder/toolbox/cli/gpg/GPGVerifier.kt

@@ -0,0 +1,122 @@
+package com.coder.toolbox.cli.gpg
+
+import com.coder.toolbox.CoderToolboxContext
+import com.coder.toolbox.cli.gpg.VerificationResult.Failed
+import com.coder.toolbox.cli.gpg.VerificationResult.Invalid
+import com.coder.toolbox.cli.gpg.VerificationResult.SignatureNotFound
+import com.coder.toolbox.cli.gpg.VerificationResult.Valid
+import org.bouncycastle.bcpg.ArmoredInputStream
+import org.bouncycastle.openpgp.PGPException
+import org.bouncycastle.openpgp.PGPPublicKeyRing
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection
+import org.bouncycastle.openpgp.PGPSignatureList
+import org.bouncycastle.openpgp.PGPUtil
+import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory
+import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider
+import java.io.ByteArrayInputStream
+import java.nio.file.Files
+import java.nio.file.Path
+
+class GPGVerifier(
+    private val context: CoderToolboxContext,
+) {
+
+    fun verifySignature(
+        cli: Path,
+        signature: Path,
+    ): VerificationResult {
+        return try {
+            if (!Files.exists(signature)) {
+                context.logger.warn("Signature file not found, skipping verification")
+                return SignatureNotFound
+            }
+
+            val signatureBytes = Files.readAllBytes(signature)
+            val cliBytes = Files.readAllBytes(cli)
+
+            val publicKeyRing = getCoderPublicKeyRing()
+            return verifyDetachedSignature(
+                cliBytes = cliBytes,
+                signatureBytes = signatureBytes,
+                publicKeyRing = publicKeyRing
+            )
+        } catch (e: Exception) {
+            context.logger.error(e, "GPG signature verification failed")
+            Failed(e)
+        }
+    }
+
+    private fun getCoderPublicKeyRing(): PGPPublicKeyRing {
+        return try {
+            getDefaultCoderPublicKeyRing()
+        } catch (e: Exception) {
+            throw PGPException("Failed to load Coder public GPG key", e)
+        }
+    }
+
+    private fun getDefaultCoderPublicKeyRing(): PGPPublicKeyRing {
+        val coderPublicKey = """
+            -----BEGIN PGP PUBLIC KEY BLOCK-----
+            
+            # Replace this with Coder's actual public key
+            
+            -----END PGP PUBLIC KEY BLOCK-----
+        """.trimIndent()
+
+        return loadPublicKeyRing(coderPublicKey.toByteArray())
+    }
+
+    /**
+     * Verify a detached GPG signature
+     */
+    fun verifyDetachedSignature(
+        cliBytes: ByteArray,
+        signatureBytes: ByteArray,
+        publicKeyRing: PGPPublicKeyRing
+    ): VerificationResult {
+        try {
+            val signatureInputStream = ArmoredInputStream(ByteArrayInputStream(signatureBytes))
+            val pgpObjectFactory = JcaPGPObjectFactory(signatureInputStream)
+            val signatureList = pgpObjectFactory.nextObject() as? PGPSignatureList
+                ?: throw PGPException("Invalid signature format")
+
+            if (signatureList.isEmpty) {
+                return Invalid("No signatures found in signature file")
+            }
+
+            val signature = signatureList[0]
+            val publicKey = publicKeyRing.getPublicKey(signature.keyID)
+                ?: throw PGPException("Public key not found for signature")
+
+            signature.init(JcaPGPContentVerifierBuilderProvider(), publicKey)
+            signature.update(cliBytes)
+
+            val isValid = signature.verify()
+            context.logger.info("GPG signature verification result: $isValid")
+            if (isValid) {
+                return Valid
+            }
+            return Invalid()
+        } catch (e: Exception) {
+            context.logger.error(e, "GPG signature verification failed")
+            return Failed(e)
+        }
+    }
+
+    /**
+     * Load public key ring from bytes
+     */
+    fun loadPublicKeyRing(publicKeyBytes: ByteArray): PGPPublicKeyRing {
+        return try {
+            val keyInputStream = ArmoredInputStream(ByteArrayInputStream(publicKeyBytes))
+            val keyRingCollection = PGPPublicKeyRingCollection(
+                PGPUtil.getDecoderStream(keyInputStream),
+                JcaKeyFingerprintCalculator()
+            )
+            keyRingCollection.keyRings.next()
+        } catch (e: Exception) {
+            throw PGPException("Failed to load public key ring", e)
+        }
+    }
+}

src/main/kotlin/com/coder/toolbox/cli/gpg/VerificationResult.kt

@@ -0,0 +1,15 @@
+package com.coder.toolbox.cli.gpg
+
+/**
+ * Result of signature verification
+ */
+sealed class VerificationResult {
+    object Valid : VerificationResult()
+    data class Invalid(val reason: String? = null) : VerificationResult()
+    data class Failed(val error: Exception) : VerificationResult()
+    object SignatureNotFound : VerificationResult()
+
+    fun isValid(): Boolean = this == Valid
+    fun isInvalid(): Boolean = this is Invalid
+    fun signatureIsNotFound(): Boolean = this == SignatureNotFound
+}