chore: ensure downloaded slim binary version matches server (#211)

ethanndickson · web-flow · commit b74def3e513c · 2025-08-06T13:53:23.000+10:00
Relates to #201. **After we've validated the binary signature**, we exec `coder version --output=json` to validate the version of the downloaded binary matches the server. This is done to prevent against downgrade attacks, and to match the checking we had on the dylib before. Additionally, this PR also ensures the certificate used to sign the binary is part of an Apple-issued certificate chain. I assumed we were checking this before (by default) but we weren't. Though we weren't previously checking it, we were only ever downloading and executing a dylib. My understanding is that macOS won't execute a dylib unless the executing process and the dylib were signed by the same Apple developer team (at [least in a sandboxed process](https://developer.apple.com/forums/thread/683914), as is the Network Extension). Only now, when `posix_spawn`ing the slim binary from an unsandboxed LaunchDaemon, is this check absolutely necessary.
diff --git a/Coder-Desktop/Coder-DesktopHelper/Manager.swift b/Coder-Desktop/Coder-DesktopHelper/Manager.swift
@@ -76,7 +76,8 @@ actor Manager {
         }
         pushProgress(stage: .validating)
         do {
-            try Validator.validate(path: dest)
+            try Validator.validateSignature(binaryPath: dest)
+            try await Validator.validateVersion(binaryPath: dest, serverVersion: buildInfo.version)
         } catch {
             // Cleanup unvalid binary
             try? FileManager.default.removeItem(at: dest)
diff --git a/Coder-Desktop/VPNLib/Validate.swift b/Coder-Desktop/VPNLib/Validate.swift
@@ -1,4 +1,5 @@
 import Foundation
+import Subprocess
 
 public enum ValidationError: Error {
     case fileNotFound
@@ -7,7 +8,9 @@ public enum ValidationError: Error {
     case unableToRetrieveSignature
     case invalidIdentifier(identifier: String?)
     case invalidTeamIdentifier(identifier: String?)
-    case invalidVersion(version: String?)
+    case unableToReadVersion(any Error)
+    case binaryVersionMismatch(binaryVersion: String, serverVersion: String)
+    case internalError(OSStatus)
 
     public var description: String {
         switch self {
@@ -21,10 +24,14 @@ public enum ValidationError: Error {
             "Unable to retrieve signing information."
         case let .invalidIdentifier(identifier):
             "Invalid identifier: \(identifier ?? "unknown")."
-        case let .invalidVersion(version):
-            "Invalid runtime version: \(version ?? "unknown")."
+        case let .binaryVersionMismatch(binaryVersion, serverVersion):
+            "Binary version does not match server. Binary: \(binaryVersion), Server: \(serverVersion)."
         case let .invalidTeamIdentifier(identifier):
             "Invalid team identifier: \(identifier ?? "unknown")."
+        case let .unableToReadVersion(error):
+            "Unable to execute the binary to read version: \(error.localizedDescription)"
+        case let .internalError(status):
+            "Internal error with OSStatus code: \(status)."
         }
     }
 
@@ -37,22 +44,32 @@ public class Validator {
     public static let minimumCoderVersion = "2.24.2"
 
     private static let expectedIdentifier = "com.coder.cli"
+    // The Coder team identifier
     private static let expectedTeamIdentifier = "4399GN35BJ"
 
+    // Apple-issued certificate chain
+    public static let anchorRequirement = "anchor apple generic"
+
     private static let signInfoFlags: SecCSFlags = .init(rawValue: kSecCSSigningInformation)
 
-    public static func validate(path: URL) throws(ValidationError) {
-        guard FileManager.default.fileExists(atPath: path.path) else {
+    public static func validateSignature(binaryPath: URL) throws(ValidationError) {
+        guard FileManager.default.fileExists(atPath: binaryPath.path) else {
             throw .fileNotFound
         }
 
         var staticCode: SecStaticCode?
-        let status = SecStaticCodeCreateWithPath(path as CFURL, SecCSFlags(), &staticCode)
+        let status = SecStaticCodeCreateWithPath(binaryPath as CFURL, SecCSFlags(), &staticCode)
         guard status == errSecSuccess, let code = staticCode else {
             throw .unableToCreateStaticCode
         }
 
-        let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), nil)
+        var requirement: SecRequirement?
+        let reqStatus = SecRequirementCreateWithString(anchorRequirement as CFString, SecCSFlags(), &requirement)
+        guard reqStatus == errSecSuccess, let requirement else {
+            throw .internalError(OSStatus(reqStatus))
+        }
+
+        let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), requirement)
         guard validateStatus == errSecSuccess else {
             throw .invalidSignature
         }
@@ -78,6 +95,32 @@ public class Validator {
         }
     }
 
-    public static let xpcPeerRequirement = "anchor apple generic" + // Apple-issued certificate chain
+    // This function executes the binary to read its version, and so it assumes
+    // the signature has already been validated.
+    public static func validateVersion(binaryPath: URL, serverVersion: String) async throws(ValidationError) {
+        guard FileManager.default.fileExists(atPath: binaryPath.path) else {
+            throw .fileNotFound
+        }
+
+        let version: String
+        do {
+            try chmodX(at: binaryPath)
+            let versionOutput = try await Subprocess.data(for: [binaryPath.path, "version", "--output=json"])
+            let parsed: VersionOutput = try JSONDecoder().decode(VersionOutput.self, from: versionOutput)
+            version = parsed.version
+        } catch {
+            throw .unableToReadVersion(error)
+        }
+
+        guard version == serverVersion else {
+            throw .binaryVersionMismatch(binaryVersion: version, serverVersion: serverVersion)
+        }
+    }
+
+    struct VersionOutput: Codable {
+        let version: String
+    }
+
+    public static let xpcPeerRequirement = anchorRequirement +
         " and certificate leaf[subject.OU] = \"" + expectedTeamIdentifier + "\"" // Signed by the Coder team
 }
