chore: ensure downloaded slim binary version matches server

Author: ethanndickson

Coder-Desktop/Coder-DesktopHelper/Manager.swift

@@ -74,7 +74,8 @@ actor Manager {
         }
         pushProgress(stage: .validating)
         do {
-            try Validator.validate(path: dest)
+            try Validator.validateSignature(binaryPath: dest)
+            try await Validator.validateVersion(binaryPath: dest, serverVersion: buildInfo.version)
         } catch {
             throw .validation(error)
         }

Coder-Desktop/VPNLib/Validate.swift

@@ -1,4 +1,5 @@
 import Foundation
+import Subprocess
 
 public enum ValidationError: Error {
     case fileNotFound
@@ -7,7 +8,8 @@ public enum ValidationError: Error {
     case unableToRetrieveSignature
     case invalidIdentifier(identifier: String?)
     case invalidTeamIdentifier(identifier: String?)
-    case invalidVersion(version: String?)
+    case unableToReadVersion(any Error)
+    case binaryVersionMismatch(binaryVersion: String, serverVersion: String)
 
     public var description: String {
         switch self {
@@ -21,10 +23,12 @@ public enum ValidationError: Error {
             "Unable to retrieve signing information."
         case let .invalidIdentifier(identifier):
             "Invalid identifier: \(identifier ?? "unknown")."
-        case let .invalidVersion(version):
-            "Invalid runtime version: \(version ?? "unknown")."
+        case let .binaryVersionMismatch(binaryVersion, serverVersion):
+            "Binary version does not match server. Binary: \(binaryVersion), Server: \(serverVersion)."
         case let .invalidTeamIdentifier(identifier):
             "Invalid team identifier: \(identifier ?? "unknown")."
+        case .unableToReadVersion:
+            "Unable to execute the binary to read version"
         }
     }
 
@@ -41,13 +45,13 @@ public class Validator {
 
     private static let signInfoFlags: SecCSFlags = .init(rawValue: kSecCSSigningInformation)
 
-    public static func validate(path: URL) throws(ValidationError) {
-        guard FileManager.default.fileExists(atPath: path.path) else {
+    public static func validateSignature(binaryPath: URL) throws(ValidationError) {
+        guard FileManager.default.fileExists(atPath: binaryPath.path) else {
             throw .fileNotFound
         }
 
         var staticCode: SecStaticCode?
-        let status = SecStaticCodeCreateWithPath(path as CFURL, SecCSFlags(), &staticCode)
+        let status = SecStaticCodeCreateWithPath(binaryPath as CFURL, SecCSFlags(), &staticCode)
         guard status == errSecSuccess, let code = staticCode else {
             throw .unableToCreateStaticCode
         }
@@ -78,6 +82,29 @@ public class Validator {
         }
     }
 
+    public static func validateVersion(binaryPath: URL, serverVersion: String) async throws(ValidationError) {
+        guard FileManager.default.fileExists(atPath: binaryPath.path) else {
+            throw .fileNotFound
+        }
+
+        let version: String
+        do {
+            let versionOutput = try await Subprocess.data(for: [binaryPath.path, "version", "--output=json"])
+            let parsed: VersionOutput = try JSONDecoder().decode(VersionOutput.self, from: versionOutput)
+            version = parsed.version
+        } catch {
+            throw .unableToReadVersion(error)
+        }
+
+        guard version == serverVersion else {
+            throw .binaryVersionMismatch(binaryVersion: version, serverVersion: serverVersion)
+        }
+    }
+
+    struct VersionOutput: Codable {
+        let version: String
+    }
+
     public static let xpcPeerRequirement = "anchor apple generic" + // Apple-issued certificate chain
         " and certificate leaf[subject.OU] = \"" + expectedTeamIdentifier + "\"" // Signed by the Coder team
 }