doc: developer facing documentation for CLI signature verification

fioan89 · fioan89 · commit e1388234d564 · 2025-07-31T00:10:17.000+03:00
diff --git a/README.md b/README.md
@@ -109,6 +109,69 @@ If `ide_product_code` and `ide_build_number` is missing, Toolbox will only open
 page. Coder Toolbox will attempt to start the workspace if it’s not already running; however, for the most reliable
 experience, it’s recommended to ensure the workspace is running prior to initiating the connection.
 
+## GPG Signature Verification
+
+The Coder Toolbox plugin starting with version *0.5.0* implements a comprehensive GPG signature verification system to
+ensure the authenticity and integrity of downloaded Coder CLI binaries. This security feature helps protect users from
+running potentially malicious or tampered binaries.
+
+### How It Works
+
+1. **Binary Download**: When connecting to a Coder deployment, the plugin downloads the appropriate Coder CLI binary for
+   the user's operating system and architecture from the deployment's `/bin/` endpoint.
+
+2. **Signature Download**: After downloading the binary, the plugin attempts to download the corresponding `.asc`
+   signature file from the same location. The signature file is named according to the binary (e.g.,
+   `coder-linux-amd64.asc` for `coder-linux-amd64`).
+
+3. **Fallback Signature Sources**: If the signature is not available from the deployment, the plugin can optionally fall
+   back to downloading signatures from `releases.coder.com`. This is controlled by the `fallbackOnCoderForSignatures`
+   setting.
+
+4. **GPG Verification**: The plugin uses the BouncyCastle library to verify the detached GPG signature against the
+   downloaded binary using Coder's trusted public key.
+
+5. **User Interaction**: If signature verification fails or signatures are unavailable, the plugin presents security
+   warnings to users, allowing them to accept the risk and continue or abort the operation.
+
+### Verification Process
+
+The verification process involves several components:
+
+- **`GPGVerifier`**: Handles the core GPG signature verification logic using BouncyCastle
+- **`VerificationResult`**: Represents the outcome of verification (Valid, Invalid, Failed, SignatureNotFound)
+- **`CoderDownloadService`**: Manages downloading both binaries and their signatures
+- **`CoderCLIManager`**: Orchestrates the download and verification workflow
+
+### Configuration Options
+
+Users can control signature verification behavior through plugin settings:
+
+- **`disableSignatureVerification`**: When enabled, skips all signature verification. This is useful for clients running
+  custom CLI builds, or customers with old deployment versions that don't have a signature published on
+  `releases.coder.com`.
+- **`fallbackOnCoderForSignatures`**: When enabled, allows downloading signatures from `releases.coder.com` if not
+  available from the deployment.
+
+### Security Considerations
+
+- The plugin embeds Coder's trusted public key in the plugin resources
+- Verification uses detached signatures, which are more secure than attached signatures
+- Users are warned about security risks when verification fails
+- The system gracefully handles cases where signatures are unavailable
+- All verification failures are logged for debugging purposes
+
+### Error Handling
+
+The system handles various failure scenarios:
+
+- **Missing signatures**: Prompts user to accept risk or abort
+- **Invalid signatures**: Warns user about potential tampering and prompts user to accept risk or abort
+- **Verification failures**: Prompts user to accept risk or abort
+
+This signature verification system ensures that users can trust the Coder CLI binaries they download through the plugin,
+protecting against supply chain attacks and ensuring binary integrity.
+
 ## Configuring and Testing workspace polling with HTTP & SOCKS5 Proxy
 
 This section explains how to set up a local proxy and verify that
