impl: add support for disabling CLI signature verification (#166)

This PR implements a new configurable option to allow users to disable
GPG signature verification for downloaded Coder CLI binaries. This
feature provides flexibility for environments where signature
verification may not be required or where fallback signature sources are
not accessible.

A new option `disableSignatureVerification` is now available only from
the Settings page, with no quick shortcut in the main page to discourage
users from quickly disabling this option. The
`fallbackOnCoderForSignatures` is hidden/not available for configuration
once signature verification is disabled.
Additionally a rough draft for developer facing documentation regarding
CLI signature verification was added.

To make things more consistent with Coder Gateway, the fallback setting
is always displayed if signature verification is enabled, we no longer
display it only once in the main page.

This PR is a port of coder/jetbrains-coder#564
from Coder Gateway.
<img width="486" height="746" alt="image"
src="https://github.com/user-attachments/assets/eff6f944-57ea-4926-857a-d5c5fd5d3901"
/>
<img width="486" height="746" alt="image"
src="https://github.com/user-attachments/assets/7f1d39da-9777-4d5c-a329-e056fe38bf22"
/>

Author: fioan89

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Added
+
+- support for skipping CLI signature verification
+
 ### Changed
 
 - URL validation is stricter in the connection screen and URI protocol handler

JETBRAINS_COMPLIANCE.md

@@ -39,8 +39,6 @@ This configuration includes JetBrains-specific rules that check for:
 - **ForbiddenImport**: Detects potentially bundled libraries
 - **Standard code quality rules**: Complexity, naming, performance, etc.
 
-
-
 ## CI/CD Integration
 
 The GitHub Actions workflow `.github/workflows/jetbrains-compliance.yml` runs compliance checks on every PR and push.
@@ -55,8 +53,6 @@ The GitHub Actions workflow `.github/workflows/jetbrains-compliance.yml` runs co
 open build/reports/detekt/detekt.html
 ```
 
-
-
 ## Understanding Results
 
 ### Compliance Check Results

README.md

@@ -109,6 +109,69 @@ If `ide_product_code` and `ide_build_number` is missing, Toolbox will only open
 page. Coder Toolbox will attempt to start the workspace if it’s not already running; however, for the most reliable
 experience, it’s recommended to ensure the workspace is running prior to initiating the connection.
 
+## GPG Signature Verification
+
+The Coder Toolbox plugin starting with version *0.5.0* implements a comprehensive GPG signature verification system to
+ensure the authenticity and integrity of downloaded Coder CLI binaries. This security feature helps protect users from
+running potentially malicious or tampered binaries.
+
+### How It Works
+
+1. **Binary Download**: When connecting to a Coder deployment, the plugin downloads the appropriate Coder CLI binary for
+   the user's operating system and architecture from the deployment's `/bin/` endpoint.
+
+2. **Signature Download**: After downloading the binary, the plugin attempts to download the corresponding `.asc`
+   signature file from the same location. The signature file is named according to the binary (e.g.,
+   `coder-linux-amd64.asc` for `coder-linux-amd64`).
+
+3. **Fallback Signature Sources**: If the signature is not available from the deployment, the plugin can optionally fall
+   back to downloading signatures from `releases.coder.com`. This is controlled by the `fallbackOnCoderForSignatures`
+   setting.
+
+4. **GPG Verification**: The plugin uses the BouncyCastle library to verify the detached GPG signature against the
+   downloaded binary using Coder's trusted public key.
+
+5. **User Interaction**: If signature verification fails or signatures are unavailable, the plugin presents security
+   warnings to users, allowing them to accept the risk and continue or abort the operation.
+
+### Verification Process
+
+The verification process involves several components:
+
+- **`GPGVerifier`**: Handles the core GPG signature verification logic using BouncyCastle
+- **`VerificationResult`**: Represents the outcome of verification (Valid, Invalid, Failed, SignatureNotFound)
+- **`CoderDownloadService`**: Manages downloading both binaries and their signatures
+- **`CoderCLIManager`**: Orchestrates the download and verification workflow
+
+### Configuration Options
+
+Users can control signature verification behavior through plugin settings:
+
+- **`disableSignatureVerification`**: When enabled, skips all signature verification. This is useful for clients running
+  custom CLI builds, or customers with old deployment versions that don't have a signature published on
+  `releases.coder.com`.
+- **`fallbackOnCoderForSignatures`**: When enabled, allows downloading signatures from `releases.coder.com` if not
+  available from the deployment.
+
+### Security Considerations
+
+- The plugin embeds Coder's trusted public key in the plugin resources
+- Verification uses detached signatures, which are more secure than attached signatures
+- Users are warned about security risks when verification fails
+- The system gracefully handles cases where signatures are unavailable
+- All verification failures are logged for debugging purposes
+
+### Error Handling
+
+The system handles various failure scenarios:
+
+- **Missing signatures**: Prompts user to accept risk or abort
+- **Invalid signatures**: Warns user about potential tampering and prompts user to accept risk or abort
+- **Verification failures**: Prompts user to accept risk or abort
+
+This signature verification system ensures that users can trust the Coder CLI binaries they download through the plugin,
+protecting against supply chain attacks and ensuring binary integrity.
+
 ## Configuring and Testing workspace polling with HTTP & SOCKS5 Proxy
 
 This section explains how to set up a local proxy and verify that

gradle.properties

@@ -1,3 +1,3 @@
-version=0.6.0
+version=0.6.1
 group=com.coder.toolbox
 name=coder-toolbox

src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt

@@ -181,6 +181,12 @@ class CoderCLIManager(
                 }
             }
 
+            if (context.settingsStore.disableSignatureVerification) {
+                downloader.commit()
+                context.logger.info("Skipping over CLI signature verification, it is disabled by the user")
+                return true
+            }
+
             var signatureResult = withContext(Dispatchers.IO) {
                 downloader.downloadSignature(showTextProgress)
             }

src/main/kotlin/com/coder/toolbox/settings/ReadOnlyCoderSettings.kt

@@ -29,7 +29,12 @@ interface ReadOnlyCoderSettings {
     val binaryDirectory: String?
 
     /**
-     * Controls whether we fall back release.coder.com
+     * Controls whether we verify the cli signature
+     */
+    val disableSignatureVerification: Boolean
+
+    /**
+     * Controls whether we fall back on release.coder.com for signatures if signature validation is enabled
      */
     val fallbackOnCoderForSignatures: SignatureFallbackStrategy
 

src/main/kotlin/com/coder/toolbox/store/CoderSettingsStore.kt

@@ -38,6 +38,8 @@ class CoderSettingsStore(
     override val defaultURL: String get() = store[DEFAULT_URL] ?: "https://dev.coder.com"
     override val binarySource: String? get() = store[BINARY_SOURCE]
     override val binaryDirectory: String? get() = store[BINARY_DIRECTORY]
+    override val disableSignatureVerification: Boolean
+        get() = store[DISABLE_SIGNATURE_VALIDATION]?.toBooleanStrictOrNull() ?: false
     override val fallbackOnCoderForSignatures: SignatureFallbackStrategy
         get() = SignatureFallbackStrategy.fromValue(store[FALLBACK_ON_CODER_FOR_SIGNATURES])
     override val defaultCliBinaryNameByOsAndArch: String get() = getCoderCLIForOS(getOS(), getArch())
@@ -166,6 +168,10 @@ class CoderSettingsStore(
         store[ENABLE_DOWNLOADS] = shouldEnableDownloads.toString()
     }
 
+    fun updateDisableSignatureVerification(shouldDisableSignatureVerification: Boolean) {
+        store[DISABLE_SIGNATURE_VALIDATION] = shouldDisableSignatureVerification.toString()
+    }
+
     fun updateSignatureFallbackStrategy(fallback: Boolean) {
         store[FALLBACK_ON_CODER_FOR_SIGNATURES] = when (fallback) {
             true -> SignatureFallbackStrategy.ALLOW.toString()

src/main/kotlin/com/coder/toolbox/store/StoreKeys.kt

@@ -10,6 +10,8 @@ internal const val BINARY_SOURCE = "binarySource"
 
 internal const val BINARY_DIRECTORY = "binaryDirectory"
 
+internal const val DISABLE_SIGNATURE_VALIDATION = "disableSignatureValidation"
+
 internal const val FALLBACK_ON_CODER_FOR_SIGNATURES = "signatureFallbackStrategy"
 
 internal const val BINARY_NAME = "binaryName"

src/main/kotlin/com/coder/toolbox/views/CoderSettingsPage.kt

@@ -6,6 +6,7 @@ import com.jetbrains.toolbox.api.ui.components.CheckboxField
 import com.jetbrains.toolbox.api.ui.components.TextField
 import com.jetbrains.toolbox.api.ui.components.TextType
 import com.jetbrains.toolbox.api.ui.components.UiField
+import kotlinx.coroutines.Job
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.channels.ClosedSendChannelException
 import kotlinx.coroutines.flow.MutableStateFlow
@@ -20,7 +21,7 @@ import kotlinx.coroutines.launch
  * TODO@JB: There is no scroll, and our settings do not fit.  As a consequence,
  *          I have not been able to test this page.
  */
-class CoderSettingsPage(context: CoderToolboxContext, triggerSshConfig: Channel<Boolean>) :
+class CoderSettingsPage(private val context: CoderToolboxContext, triggerSshConfig: Channel<Boolean>) :
     CoderPage(MutableStateFlow(context.i18n.ptrl("Coder Settings")), false) {
     private val settings = context.settingsStore.readOnly()
 
@@ -33,6 +34,11 @@ class CoderSettingsPage(context: CoderToolboxContext, triggerSshConfig: Channel<
         TextField(context.i18n.ptrl("Data directory"), settings.dataDirectory ?: "", TextType.General)
     private val enableDownloadsField =
         CheckboxField(settings.enableDownloads, context.i18n.ptrl("Enable downloads"))
+
+    private val disableSignatureVerificationField = CheckboxField(
+        settings.disableSignatureVerification,
+        context.i18n.ptrl("Disable Coder CLI signature verification")
+    )
     private val signatureFallbackStrategyField =
         CheckboxField(
             settings.fallbackOnCoderForSignatures.isAllowed(),
@@ -65,13 +71,14 @@ class CoderSettingsPage(context: CoderToolboxContext, triggerSshConfig: Channel<
     private val networkInfoDirField =
         TextField(context.i18n.ptrl("SSH network metrics directory"), settings.networkInfoDir, TextType.General)
 
-
+    private lateinit var visibilityUpdateJob: Job
     override val fields: StateFlow<List<UiField>> = MutableStateFlow(
         listOf(
             binarySourceField,
             enableDownloadsField,
             binaryDirectoryField,
             enableBinaryDirectoryFallbackField,
+            disableSignatureVerificationField,
             signatureFallbackStrategyField,
             dataDirectoryField,
             headerCommandField,
@@ -94,6 +101,7 @@ class CoderSettingsPage(context: CoderToolboxContext, triggerSshConfig: Channel<
                 context.settingsStore.updateBinaryDirectory(binaryDirectoryField.contentState.value)
                 context.settingsStore.updateDataDirectory(dataDirectoryField.contentState.value)
                 context.settingsStore.updateEnableDownloads(enableDownloadsField.checkedState.value)
+                context.settingsStore.updateDisableSignatureVerification(disableSignatureVerificationField.checkedState.value)
                 context.settingsStore.updateSignatureFallbackStrategy(signatureFallbackStrategyField.checkedState.value)
                 context.settingsStore.updateBinaryDirectoryFallback(enableBinaryDirectoryFallbackField.checkedState.value)
                 context.settingsStore.updateHeaderCommand(headerCommandField.contentState.value)
@@ -182,5 +190,19 @@ class CoderSettingsPage(context: CoderToolboxContext, triggerSshConfig: Channel<
         networkInfoDirField.contentState.update {
             settings.networkInfoDir
         }
+
+        visibilityUpdateJob = context.cs.launch {
+            disableSignatureVerificationField.checkedState.collect { state ->
+                signatureFallbackStrategyField.visibility.update {
+                    // the fallback checkbox should not be visible
+                    // if signature verification is disabled
+                    !state
+                }
+            }
+        }
+    }
+
+    override fun afterHide() {
+        visibilityUpdateJob.cancel()
     }
 }

src/main/kotlin/com/coder/toolbox/views/DeploymentUrlStep.kt

@@ -1,7 +1,6 @@
 package com.coder.toolbox.views
 
 import com.coder.toolbox.CoderToolboxContext
-import com.coder.toolbox.settings.SignatureFallbackStrategy
 import com.coder.toolbox.util.WebUrlValidationResult.Invalid
 import com.coder.toolbox.util.toURL
 import com.coder.toolbox.util.validateStrictWebUrl
@@ -41,7 +40,7 @@ class DeploymentUrlStep(
 
     override val panel: RowGroup
         get() {
-            if (context.settingsStore.fallbackOnCoderForSignatures == SignatureFallbackStrategy.NOT_CONFIGURED) {
+            if (!context.settingsStore.disableSignatureVerification) {
                 return RowGroup(
                     RowGroup.RowField(urlField),
                     RowGroup.RowField(emptyLine),