fix: add code signing requirements to xpc connections #206
+132
−124
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This stack of pull requests is managed by Graphite. Learn more about stacking. |
This was referenced Jul 24, 2025
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
c7dbde8 to
ef8832a
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
ea87f52 to
5bf788f
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
5bf788f to
547fd97
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
ef8832a to
e32d7de
Compare
deansheather
approved these changes
Jul 30, 2025
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
547fd97 to
6687411
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
eebf562 to
291e5a1
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
6687411 to
ef370db
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
291e5a1 to
b0c196f
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
ef370db to
55319f4
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
b0c196f to
b81afc9
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
55319f4 to
8670f11
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
b81afc9 to
e96075e
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
2 times, most recently
from
be347a8 to
e6a3578
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
2 times, most recently
from
a4b58e5 to
bd905ae
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
e6a3578 to
a1864f6
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
bd905ae to
33931d6
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
a1864f6 to
8b4c8cd
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
8b4c8cd to
78fd6c0
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
33931d6 to
0999089
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
78fd6c0 to
a5d5337
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
0999089 to
1453e77
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
a5d5337 to
c450bd4
Compare
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
1453e77 to
d09250b
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR enhances security by adding code signing requirements to XPC connections to prevent unauthorized binaries from connecting to the Helper service. The changes implement validation that ensures only binaries signed by the Coder Apple development team can establish XPC connections.
Key changes:
- Refactored validation logic from
Download.swiftinto a dedicatedValidate.swiftfile - Added
xpcPeerRequirementproperty to enforce code signing requirements on XPC connections - Applied code signing validation to all XPC connection points in the application
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| Coder-Desktop/VPNLib/Validate.swift | New file containing extracted validation logic with added XPC peer requirement string |
| Coder-Desktop/VPNLib/Download.swift | Removed validation code that was moved to Validate.swift |
| Coder-Desktop/VPN/NEHelperXPCClient.swift | Added code signing requirement to XPC client connection |
| Coder-Desktop/Coder-DesktopHelper/HelperXPCListeners.swift | Added code signing requirements to both XPC server listeners |
| Coder-Desktop/Coder-Desktop/AppHelperXPCClient.swift | Added code signing requirement to app helper XPC client |
| } | ||
|
|
||
| guard let plistName = infoPlist[infoNameKey] as? String, plistName == expectedName else { | ||
| throw .invalidIdentifier(identifier: infoPlist[infoNameKey] as? String) |
There was a problem hiding this comment.
The error type should be a name-specific validation error, not invalidIdentifier. This validation is checking the bundle name, not the identifier, so it should throw a different error type or the existing invalidIdentifier case should be renamed to be more generic.
Suggested change
| throw .invalidIdentifier(identifier: infoPlist[infoNameKey] as? String) | |
| throw .invalidName(name: infoPlist[infoNameKey] as? String) |
ethanndickson
force-pushed
the
ethan/networking-in-launchdaemon
branch
from
d09250b to
d286679
Compare
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
c450bd4 to
557e4fe
Compare
Merge activity
|
ethanndickson
changed the base branch from
ethan/networking-in-launchdaemon
to
graphite-base/206
ethanndickson
force-pushed
the
ethan/xpc-validation
branch
from
557e4fe to
6b4106a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continues to address #201.
I've manually tested that this change prevents binaries not signed by the Coder Apple development team from connecting to the Helper over XPC.
Most of the PR diff is me moving the validator out of
Download.swiftand intoValidate.swift