chore: tests for authenticode and version checks

deansheather · deansheather · commit 81e645c081aa · 2025-03-06T15:44:46.000+11:00
diff --git a/README.md b/README.md
@@ -0,0 +1,29 @@
+# Coder Desktop for Windows
+
+This repo contains the C# source code for Coder Desktop for Windows. You can
+download the latest version from the GitHub releases.
+
+### Contributing
+
+You will need:
+
+- Visual Studio 2022
+    - .NET desktop development
+    - WinUI application development
+    - Windows 10 SDK (10.0.19041.0)
+- Wix Toolset 5.0.2 (if building the installer)
+
+It's also recommended to use JetBrains Rider (or VS + ReSharper) for a better
+experience.
+
+### License
+
+The Coder Desktop for Windows source is licensed under the GNU Affero General
+Public License v3.0 (AGPL-3.0).
+
+Some vendored files in this repo are licensed separately. The license for these
+files can be found in the same directory as the files.
+
+The binary distributions of Coder Desktop for Windows have some additional
+license disclaimers that can be found in
+[scripts/files/License.txt](scripts/files/License.txt) or during installation.
diff --git a/Tests.Vpn.Service/DownloaderTest.cs b/Tests.Vpn.Service/DownloaderTest.cs
@@ -27,23 +27,29 @@ public class AuthenticodeDownloadValidatorTest
     [CancelAfter(30_000)]
     public void Unsigned(CancellationToken ct)
     {
-        // TODO: this
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello.exe");
+        var ex = Assert.ThrowsAsync<Exception>(() =>
+            AuthenticodeDownloadValidator.Coder.ValidateAsync(testBinaryPath, ct));
+        Assert.That(ex.Message, Does.Contain("File is not signed and trusted with an Authenticode signature: State=Unsigned, StateReason=None"));
     }
 
     [Test(Description = "Test an untrusted binary")]
     [CancelAfter(30_000)]
     public void Untrusted(CancellationToken ct)
     {
-        // TODO: this
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello-self-signed.exe");
+        var ex = Assert.ThrowsAsync<Exception>(() =>
+            AuthenticodeDownloadValidator.Coder.ValidateAsync(testBinaryPath, ct));
+        Assert.That(ex.Message, Does.Contain("File is not signed and trusted with an Authenticode signature: State=Unsigned, StateReason=UntrustedRoot"));
     }
 
     [Test(Description = "Test an binary with a detached signature (catalog file)")]
     [CancelAfter(30_000)]
     public void DifferentCertTrusted(CancellationToken ct)
     {
-        // notepad.exe uses a catalog file for its signature.
+        // rundll32.exe uses a catalog file for its signature.
         var ex = Assert.ThrowsAsync<Exception>(() =>
-            AuthenticodeDownloadValidator.Coder.ValidateAsync(@"C:\Windows\System32\notepad.exe", ct));
+            AuthenticodeDownloadValidator.Coder.ValidateAsync(@"C:\Windows\System32\rundll32.exe", ct));
         Assert.That(ex.Message,
             Does.Contain("File is not signed with an embedded Authenticode signature: Kind=Catalog"));
     }
@@ -52,15 +58,19 @@ public void DifferentCertTrusted(CancellationToken ct)
     [CancelAfter(30_000)]
     public void DifferentCertUntrusted(CancellationToken ct)
     {
-        // TODO: this
+        // dotnet.exe is signed by .NET. During tests we can be pretty sure
+        // this is installed.
+        var ex = Assert.ThrowsAsync<Exception>(() =>
+            AuthenticodeDownloadValidator.Coder.ValidateAsync(@"C:\Program Files\dotnet\dotnet.exe", ct));
+        Assert.That(ex.Message, Does.Contain("File is signed by an unexpected certificate: ExpectedName='Coder Technologies Inc.', ActualName='.NET"));
     }
 
     [Test(Description = "Test a binary signed by Coder's certificate")]
     [CancelAfter(30_000)]
     public async Task CoderSigned(CancellationToken ct)
     {
-        // TODO: this
-        await Task.CompletedTask;
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello-versioned-signed.exe");
+        await AuthenticodeDownloadValidator.Coder.ValidateAsync(testBinaryPath, ct);
     }
 }
 
@@ -71,22 +81,57 @@ public class AssemblyVersionDownloadValidatorTest
     [CancelAfter(30_000)]
     public void NoVersion(CancellationToken ct)
     {
-        // TODO: this
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello.exe");
+        var ex = Assert.ThrowsAsync<Exception>(() =>
+            new AssemblyVersionDownloadValidator(1, 2, 3, 4).ValidateAsync(testBinaryPath, ct));
+        Assert.That(ex.Message, Does.Contain("File ProductVersion is empty or null"));
     }
 
-    [Test(Description = "Version mismatch")]
+    [Test(Description = "Invalid version on binary")]
     [CancelAfter(30_000)]
-    public void VersionMismatch(CancellationToken ct)
+    public void InvalidVersion(CancellationToken ct)
     {
-        // TODO: this
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello-invalid-version.exe");
+        var ex = Assert.ThrowsAsync<Exception>(() =>
+            new AssemblyVersionDownloadValidator(1, 2, 3, 4).ValidateAsync(testBinaryPath, ct));
+        Assert.That(ex.Message, Does.Contain("File ProductVersion '1-2-3-4' is not a valid version string"));
+    }
+
+    [Test(Description = "Version mismatch with full version check")]
+    [CancelAfter(30_000)]
+    public void VersionMismatchFull(CancellationToken ct)
+    {
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello-versioned-signed.exe");
+
+        // Try changing each version component one at a time
+        var expectedVersions = new[] { 1, 2, 3, 4 };
+        for (var i = 0; i < 4; i++)
+        {
+            var testVersions = (int[])expectedVersions.Clone();
+            testVersions[i]++; // Increment this component to make it wrong
+
+            var ex = Assert.ThrowsAsync<Exception>(() =>
+                new AssemblyVersionDownloadValidator(
+                    testVersions[0], testVersions[1], testVersions[2], testVersions[3]
+                ).ValidateAsync(testBinaryPath, ct));
+
+            Assert.That(ex.Message, Does.Contain(
+                $"File ProductVersion does not match expected version: Actual='1.2.3.4', Expected='{string.Join(".", testVersions)}'"));
+        }
     }
 
-    [Test(Description = "Version match")]
+    [Test(Description = "Version match with and without partial version check")]
     [CancelAfter(30_000)]
     public async Task VersionMatch(CancellationToken ct)
     {
-        // TODO: this
-        await Task.CompletedTask;
+        var testBinaryPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "testdata", "hello-versioned-signed.exe");
+
+        // Test with just major.minor
+        await new AssemblyVersionDownloadValidator(1, 2).ValidateAsync(testBinaryPath, ct);
+        // Test with major.minor.patch
+        await new AssemblyVersionDownloadValidator(1, 2, 3).ValidateAsync(testBinaryPath, ct);
+        // Test with major.minor.patch.build
+        await new AssemblyVersionDownloadValidator(1, 2, 3, 4).ValidateAsync(testBinaryPath, ct);
     }
 }
 
diff --git a/Tests.Vpn.Service/Tests.Vpn.Service.csproj b/Tests.Vpn.Service/Tests.Vpn.Service.csproj
@@ -12,6 +12,23 @@
         <IsTestProject>true</IsTestProject>
     </PropertyGroup>
 
+    <ItemGroup>
+      <None Remove="testdata\hello.go" />
+      <None Remove="testdata\winres.json" />
+      <None Update="testdata\hello.exe">
+        <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      </None>
+      <None Update="testdata\hello-invalid-version.exe">
+          <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      </None>
+      <None Update="testdata\hello-self-signed.exe">
+        <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      </None>
+      <None Update="testdata\hello-versioned-signed.exe">
+        <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      </None>
+    </ItemGroup>
+
     <ItemGroup>
         <PackageReference Include="coverlet.collector" Version="6.0.4">
             <PrivateAssets>all</PrivateAssets>
diff --git a/Tests.Vpn.Service/testdata/.gitignore b/Tests.Vpn.Service/testdata/.gitignore
@@ -0,0 +1,2 @@
+*.go
+*.pfx
diff --git a/Tests.Vpn.Service/testdata/Build-Assets.ps1 b/Tests.Vpn.Service/testdata/Build-Assets.ps1
@@ -0,0 +1,68 @@
+$errorActionPreference = "Stop"
+
+Set-Location $PSScriptRoot
+
+# If hello.go does not exist, write it. We don't check it into the repo to avoid
+# GitHub showing that the repo contains Go code.
+if (-not (Test-Path "hello.go")) {
+    $helloGo = @"
+package main
+
+func main() {
+    println("Hello, World!")
+}
+"@
+    Set-Content -Path "hello.go" -Value $helloGo
+}
+
+& go.exe build -ldflags '-w -s' -o hello.exe hello.go
+if ($LASTEXITCODE -ne 0) { throw "Failed to build hello.exe" }
+
+# hello-invalid-version.exe is used for testing versioned binaries with an
+# invalid version.
+Copy-Item hello.exe hello-invalid-version.exe
+& go-winres.exe patch --in winres.json --delete --no-backup --product-version 1-2-3-4 --file-version 1-2-3-4 hello-invalid-version.exe
+if ($LASTEXITCODE -ne 0) { throw "Failed to patch hello-invalid-version.exe with go-winres" }
+
+# hello-self-signed.exe is used for testing untrusted binaries.
+Copy-Item hello.exe hello-self-signed.exe
+$helloSelfSignedPath = (Get-Item hello-self-signed.exe).FullName
+
+# Create a self signed certificate for signing and then delete it.
+$certStoreLocation = "Cert:\CurrentUser\My"
+$password = "password"
+$cert = New-SelfSignedCertificate `
+    -CertStoreLocation $certStoreLocation `
+    -DnsName coder.com `
+    -Subject "CN=coder-desktop-windows-self-signed-cert" `
+    -Type CodeSigningCert `
+    -KeyUsage DigitalSignature `
+    -NotAfter (Get-Date).AddDays(3650)
+$pfxPath = Join-Path $PSScriptRoot "cert.pfx"
+try {
+    $securePassword = ConvertTo-SecureString -String $password -Force -AsPlainText
+    Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $securePassword
+
+    # Sign hello-self-signed.exe with the self signed certificate
+    & "${env:ProgramFiles(x86)}\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /debug /f $pfxPath /p $password /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 $helloSelfSignedPath
+    if ($LASTEXITCODE -ne 0) { throw "Failed to sign hello-self-signed.exe with signtool" }
+} finally {
+    if ($cert.Thumbprint) {
+        Remove-Item -Path (Join-Path $certStoreLocation $cert.Thumbprint) -Force
+    }
+    if (Test-Path $pfxPath) {
+        Remove-Item -Path $pfxPath -Force
+    }
+}
+
+# hello-versioned-signed.exe is used for testing versioned binariess and
+# binaries signed by a real EV certificate.
+Copy-Item hello.exe hello-versioned-signed.exe
+
+& go-winres.exe patch --in winres.json --delete --no-backup --product-version 1.2.3.4 --file-version 1.2.3.4 hello-versioned-signed.exe
+if ($LASTEXITCODE -ne 0) { throw "Failed to patch hello-versioned-signed.exe with go-winres" }
+
+# Then sign hello-versioned-signed.exe with the same EV cert as our real
+# binaries. Since this is a bit more complicated and requires some extra
+# permissions, we don't do this in the build script.
+Write-Host "Don't forget to sign hello-versioned-signed.exe with the EV cert!"
diff --git a/Tests.Vpn.Service/testdata/hello-invalid-version.exe b/Tests.Vpn.Service/testdata/hello-invalid-version.exe
diff --git a/Tests.Vpn.Service/testdata/hello-self-signed.exe b/Tests.Vpn.Service/testdata/hello-self-signed.exe
diff --git a/Tests.Vpn.Service/testdata/hello-versioned-signed.exe b/Tests.Vpn.Service/testdata/hello-versioned-signed.exe
diff --git a/Tests.Vpn.Service/testdata/hello.exe b/Tests.Vpn.Service/testdata/hello.exe
diff --git a/Tests.Vpn.Service/testdata/winres.json b/Tests.Vpn.Service/testdata/winres.json
@@ -0,0 +1,44 @@
+{
+  "RT_MANIFEST": {
+    "#1": {
+      "0409": {
+        "identity": {},
+        "description": "",
+        "minimum-os": "win7",
+        "execution-level": "",
+        "ui-access": false,
+        "auto-elevate": false,
+        "dpi-awareness": "system",
+        "disable-theming": false,
+        "disable-window-filtering": false,
+        "high-resolution-scrolling-aware": false,
+        "ultra-high-resolution-scrolling-aware": false,
+        "long-path-aware": false,
+        "printer-driver-isolation": false,
+        "gdi-scaling": false,
+        "segment-heap": false,
+        "use-common-controls-v6": false
+      }
+    }
+  },
+  "RT_VERSION": {
+    "#1": {
+      "0409": {
+        "fixed": {
+          "file_version": "1.2.3.4",
+          "product_version": "1.2.3.4"
+        },
+        "info": {
+          "0409": {
+            "FileDescription": "Coder",
+            "FileVersion": "1.2.3.4",
+            "LegalCopyright": "Copyright 2025 Coder Technologies Inc.",
+            "OriginalFilename": "coder.exe",
+            "ProductName": "Coder",
+            "ProductVersion": "1.2.3.4"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/Vpn.Service/Downloader.cs b/Vpn.Service/Downloader.cs
@@ -60,15 +60,13 @@ public async Task ValidateAsync(string path, CancellationToken ct = default)
 
         if (fileSigInfo.State != SignatureState.SignedAndTrusted)
             throw new Exception(
-                $"File is not signed and trusted with an Authenticode signature: State={fileSigInfo.State}");
+                $"File is not signed and trusted with an Authenticode signature: State={fileSigInfo.State}, StateReason={fileSigInfo.StateReason}");
 
         // Coder will only use embedded signatures because we are downloading
         // individual binaries and not installers which can ship catalog files.
         if (fileSigInfo.Kind != SignatureKind.Embedded)
             throw new Exception($"File is not signed with an embedded Authenticode signature: Kind={fileSigInfo.Kind}");
 
-        // TODO: check that it's an extended validation certificate
-
         var actualName = fileSigInfo.SigningCertificate.GetNameInfo(X509NameType.SimpleName, false);
         if (actualName != _expectedName)
             throw new Exception(
@@ -86,8 +84,8 @@ public class AssemblyVersionDownloadValidator : IDownloadValidator
     private readonly Version _expectedVersion;
 
     // ReSharper disable once ConvertToPrimaryConstructor
-    public AssemblyVersionDownloadValidator(int expectedMajor, int expectedMinor, int expectedBuild,
-        int expectedRevision)
+    public AssemblyVersionDownloadValidator(int expectedMajor, int expectedMinor, int expectedBuild = -1,
+        int expectedRevision = -1)
     {
         _expectedMajor = expectedMajor;
         _expectedMinor = expectedMinor;
@@ -122,7 +120,7 @@ public Task ValidateAsync(string path, CancellationToken ct = default)
             (_expectedBuild != -1 && productVersion.Build != _expectedBuild) ||
             (_expectedRevision != -1 && productVersion.Revision != _expectedRevision))
             throw new Exception(
-                $"File ProductVersion is '{info.ProductVersion}', but expected '{_expectedVersion}'");
+                $"File ProductVersion does not match expected version: Actual='{info.ProductVersion}', Expected='{_expectedVersion}'");
 
         return Task.CompletedTask;
     }
diff --git a/scripts/Publish.ps1 b/scripts/Publish.ps1
@@ -122,6 +122,7 @@ if ($LASTEXITCODE -ne 0) { throw "Failed to build Vpn.Service" }
 $appPublishDir = Join-Path $buildPath "app"
 $msbuildBinary = & "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe" -latest -requires Microsoft.Component.MSBuild -find MSBuild\**\Bin\MSBuild.exe
 if ($LASTEXITCODE -ne 0) { throw "Failed to find MSBuild" }
+if (-not (Test-Path $msbuildBinary)) { throw "Failed to find MSBuild at $msbuildBinary" }
 & $msbuildBinary .\App\App.csproj /p:Configuration=Release /p:Platform=$arch /p:OutputPath=$appPublishDir
 if ($LASTEXITCODE -ne 0) { throw "Failed to build App" }
 
