Implement plugin verification via certificates and JAR signing

2026-06-13 16:40:01 +00:00 · 2025-04-02 10:35:15 +02:00
parent cdfa2a25a4
commit 4ab7dbddec
11 changed files with 167 additions and 20 deletions
@@ -50,3 +50,4 @@ logs
 templates
 /gameyfin/src/main/frontend/**/*.js
 /gameyfin/src/main/frontend/**/*.js.map
+/gameyfin/src/main/bundles/
@@ -5,6 +5,9 @@ import {
    PlayCircle,
    Power,
    QuestionMark,
+    SealCheck,
+    SealQuestion,
+    SealWarning,
    SlidersHorizontal,
    StopCircle,
    WarningCircle
@@ -15,6 +18,7 @@ import PluginState from "Frontend/generated/org/pf4j/PluginState";
 import React, {ReactNode, useEffect, useState} from "react";
 import PluginDetailsModal from "Frontend/components/general/modals/PluginDetailsModal";
 import PluginLogo from "Frontend/components/general/PluginLogo";
+import PluginTrustLevel from "Frontend/generated/de/grimsi/gameyfin/core/plugins/management/PluginTrustLevel";

 export function PluginManagementCard({plugin, updatePlugin}: {
    plugin: PluginDto,
@@ -63,6 +67,27 @@ export function PluginManagementCard({plugin, updatePlugin}: {
        }
    }

+    function trustLevelToBadge(trustLevel: PluginTrustLevel | undefined): React.ReactNode {
+        switch (trustLevel) {
+            case PluginTrustLevel.OFFICIAL:
+                return <Tooltip color="foreground" placement="bottom" content="Official plugin">
+                    <SealCheck weight="fill" className="fill-success"/>
+                </Tooltip>;
+            case PluginTrustLevel.BUNDLED:
+                return <Tooltip color="foreground" placement="bottom" content="Bundled plugin">
+                    <SealCheck weight="fill"/>
+                </Tooltip>;
+            case PluginTrustLevel.THIRD_PARTY:
+                return <Tooltip color="foreground" placement="bottom" content="3rd party plugin">
+                    <SealWarning/>
+                </Tooltip>;
+            default:
+                return <Tooltip color="foreground" placement="bottom" content="Unkown verification status">
+                    <SealQuestion/>
+                </Tooltip>;
+        }
+    }
+
    function isDisabled(state: PluginState | undefined): boolean {
        return state === PluginState.DISABLED;
    }
@@ -102,9 +127,12 @@ export function PluginManagementCard({plugin, updatePlugin}: {
                        </Button>
                    </Tooltip>
                </div>
-                <div className="flex flex-1 flex-col items-center gap-1">
+                <div className="flex flex-1 flex-col items-center gap-2">
                    <PluginLogo plugin={plugin}/>
-                    <p className="font-semibold">{plugin.name}</p>
+                    <p className="flex flex-row gap-1 font-semibold">
+                        {plugin.name}
+                        {trustLevelToBadge(plugin.trustLevel)}
+                    </p>
                    <div className="flex flex-row gap-2">
                        <Chip size="sm" radius="sm" className="text-xs">{plugin.version}</Chip>
                        <Chip size="sm" radius="sm" className="text-xs" color={stateToColor(plugin.state)}>
@@ -12,15 +12,8 @@ class DatabasePluginStatusProvider(
    override fun isPluginDisabled(pluginId: String): Boolean {
        var pluginManagement = pluginManagementRepository.findByIdOrNull(pluginId)

-        // If the plugin is unknown, persist it as enabled
        if (pluginManagement == null) {
-
-            // Set priority to the max value of the current plugins + 1 (which is the lowest priority) or 1 if there are no entries
-            val currentMaxPriority = pluginManagementRepository.findMaxPriority() ?: 0
-
-            pluginManagement = pluginManagementRepository.save(
-                PluginManagementEntry(pluginId = pluginId, enabled = true, priority = currentMaxPriority + 1)
-            )
+            return true
        }

        return pluginManagement.enabled != true
@@ -4,9 +4,17 @@ import de.grimsi.gameyfin.core.plugins.config.PluginConfigRepository
 import de.grimsi.gameyfin.pluginapi.core.GameyfinPlugin
 import io.github.oshai.kotlinlogging.KotlinLogging
 import org.pf4j.*
+import org.springframework.data.repository.findByIdOrNull
 import org.springframework.stereotype.Component
+import java.io.InputStream
 import java.nio.file.Path
+import java.security.PublicKey
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+import java.util.jar.JarFile
 import kotlin.io.path.Path
+import kotlin.io.path.extension
+

 /**
 * @see https://stackoverflow.com/questions/73654174/my-application-cant-find-the-extension-with-pf4j
@@ -18,6 +26,10 @@ class GameyfinPluginManager(
    val pluginManagementRepository: PluginManagementRepository
 ) : DefaultPluginManager(Path(System.getProperty("pf4j.pluginsDir", "plugins"))) {

+    companion object {
+        private const val PUBLIC_KEY_FILE = "certificates/gameyfin-plugins.pem"
+    }
+
    private val log = KotlinLogging.logger {}

    // This took me way too long to figure out...
@@ -41,12 +53,10 @@ class GameyfinPluginManager(
        val compoundPluginLoader = CompoundPluginLoader()
        val developmentPluginLoader = GameyfinPluginLoader(this, javaClass.classLoader)
        val jarPluginLoader = JarPluginLoader(this)
-        val defaultPluginLoader = DefaultPluginLoader(this)

        return compoundPluginLoader
            .add(developmentPluginLoader, this::isDevelopment)
            .add(jarPluginLoader, this::isNotDevelopment)
-            .add(defaultPluginLoader, this::isNotDevelopment)
    }

    override fun createPluginStatusProvider(): PluginStatusProvider {
@@ -59,6 +69,32 @@ class GameyfinPluginManager(
        if (pluginWrapper != null) {
            // Inject config after loading, before starting
            configurePlugin(pluginWrapper)
+
+            // Update or create the PluginManagementEntry
+            if (pluginPath != null) {
+
+                // Set priority to the max value of the current plugins + 1 (which is the lowest priority) or 1 if there are no entries
+                val currentMaxPriority = pluginManagementRepository.findMaxPriority() ?: 0
+
+                val pluginManagementEntry = pluginManagementRepository.findByIdOrNull(pluginWrapper.pluginId)
+                    ?: PluginManagementEntry(pluginId = pluginWrapper.pluginId, priority = currentMaxPriority + 1)
+
+                if (pluginPath.extension == "jar") {
+                    log.debug { "Verifying plugin signature for ${pluginWrapper.pluginId}" }
+                    pluginManagementEntry.trustLevel = verifyPluginSignature(pluginPath)
+                    log.debug { "Plugin ${pluginWrapper.pluginId} verification status: ${pluginManagementEntry.trustLevel}" }
+                } else {
+                    pluginManagementEntry.trustLevel = PluginTrustLevel.BUNDLED
+                }
+
+                if (pluginManagementEntry.trustLevel in listOf(PluginTrustLevel.OFFICIAL, PluginTrustLevel.BUNDLED)) {
+                    pluginManagementEntry.enabled = true
+                    log.info { "Plugin ${pluginWrapper.pluginId} verified, starting" }
+                    startPlugin(pluginWrapper.pluginId)
+                }
+
+                pluginManagementRepository.save(pluginManagementEntry)
+            }
        }

        return pluginWrapper
@@ -69,11 +105,11 @@ class GameyfinPluginManager(

        // Validate config before starting the plugin
        if (!validatePluginConfig(pluginId)) {
-            log.error { "Plugin $pluginId has invalid configuration" }
+            log.warn { "Plugin $pluginId has invalid configuration" }

            val pluginWrapper = getPlugin(pluginId)
            pluginWrapper.pluginState = PluginState.FAILED
-            this.firePluginStateEvent(PluginStateEvent(this, pluginWrapper, pluginWrapper.pluginState));
+            this.firePluginStateEvent(PluginStateEvent(this, pluginWrapper, pluginWrapper.pluginState))
            return pluginWrapper.pluginState
        }

@@ -137,4 +173,55 @@ class GameyfinPluginManager(
    private fun getConfig(pluginId: String): Map<String, String?> {
        return pluginConfigRepository.findAllById_PluginId(pluginId).associate { it.id.key to it.value }
    }
+
+    fun verifyPluginSignature(pluginPath: Path): PluginTrustLevel {
+        val certFactory: CertificateFactory = CertificateFactory.getInstance("X.509")
+        val certFileInputStream = javaClass.classLoader.getResourceAsStream(PUBLIC_KEY_FILE)
+        val cert: X509Certificate = certFactory.generateCertificate(certFileInputStream) as X509Certificate
+        val publicKey: PublicKey = cert.publicKey
+        certFileInputStream?.close()
+
+        val jarFile = JarFile(pluginPath.toFile(), true)
+        val entries = jarFile.entries()
+
+        while (entries.hasMoreElements()) {
+            val entry = entries.nextElement()
+            if (entry.isDirectory || entry.name.startsWith("META-INF/")) continue
+
+            try {
+                val buffer = ByteArray(8192)
+                val entryInputStream: InputStream = jarFile.getInputStream(entry)
+                while ((entryInputStream.read(buffer, 0, buffer.size)) != -1) {
+                    // We just read
+                    // This will throw a SecurityException if a signature/digest check fails
+                }
+            } catch (_: SecurityException) {
+                // Signature verification failed
+                return PluginTrustLevel.THIRD_PARTY
+            }
+
+            val codeSigners = entry.codeSigners
+
+            if (codeSigners == null || codeSigners.isEmpty()) {
+                // No code signers, so we can't verify the signature
+                return PluginTrustLevel.THIRD_PARTY
+            }
+
+            for (codeSigner in codeSigners) {
+                val certs = codeSigner.signerCertPath.certificates
+
+                for (cert in certs) {
+                    if (cert is X509Certificate) {
+                        try {
+                            cert.verify(publicKey)
+                        } catch (_: Exception) {
+                            // Signature verification failed
+                            return PluginTrustLevel.THIRD_PARTY
+                        }
+                    }
+                }
+            }
+        }
+        return PluginTrustLevel.OFFICIAL
+    }
 }
@@ -9,5 +9,6 @@ data class PluginDto(
    val author: String,
    val hasLogo: Boolean,
    val state: PluginState,
-    val priority: Int
+    val priority: Int,
+    val trustLevel: PluginTrustLevel
 )
@@ -8,7 +8,9 @@ data class PluginManagementEntry(
    @Id
    val pluginId: String,

-    var enabled: Boolean = true,
+    var enabled: Boolean = false,

-    var priority: Int = 0
+    var priority: Int = 0,
+
+    var trustLevel: PluginTrustLevel = PluginTrustLevel.UNKNOWN,
 )
@@ -13,6 +13,7 @@ class PluginManagementService(
 ) {
    fun getPluginDtos(): List<PluginDto> {
        return pluginManager.plugins.map {
+            val pluginManagementEntry = getPluginManagementEntry(it.pluginId)
            PluginDto(
                it.pluginId,
                it.descriptor.pluginDescription,
@@ -20,13 +21,15 @@ class PluginManagementService(
                it.descriptor.provider,
                (it.plugin as GameyfinPlugin).hasLogo(),
                it.pluginState,
-                getPluginManagementEntry(it.pluginId).priority
+                pluginManagementEntry.priority,
+                pluginManagementEntry.trustLevel
            )
        }
    }

    fun getPluginDto(pluginId: String): PluginDto {
        val plugin = pluginManager.getPlugin(pluginId)
+        val pluginManagementEntry = getPluginManagementEntry(pluginId)
        return PluginDto(
            plugin.pluginId,
            plugin.descriptor.pluginDescription,
@@ -34,7 +37,8 @@ class PluginManagementService(
            plugin.descriptor.provider,
            (plugin.plugin as GameyfinPlugin).hasLogo(),
            plugin.pluginState,
-            getPluginManagementEntry(pluginId).priority
+            pluginManagementEntry.priority,
+            pluginManagementEntry.trustLevel
        )
    }

@@ -0,0 +1,8 @@
+package de.grimsi.gameyfin.core.plugins.management
+
+enum class PluginTrustLevel {
+    BUNDLED,
+    OFFICIAL,
+    THIRD_PARTY,
+    UNKNOWN,
+}
@@ -16,7 +16,7 @@ management:
    pause:
      enabled: false
    restart:
-      enabled: true
+      access: unrestricted

 spring:
  # Workaround for https://github.com/vaadin/hilla/issues/842
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAlOgAwIBAgIIInXOudKRPwswDQYJKoZIhvcNAQEMBQAwJDERMA8GA1UE
+ChMIR2FtZXlmaW4xDzANBgNVBAMTBmdyaW1zaTAeFw0yNTA0MDEyMzI0MjdaFw0y
+NTA2MzAyMzI0MjdaMCQxETAPBgNVBAoTCEdhbWV5ZmluMQ8wDQYDVQQDEwZncmlt
+c2kwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCe3Nfyz++gEGyiPXR2
+Gi1BtJrbQyAhqkO94XrCa0MmBPlb5AxakuMh3G9A8VmKgfaGithC5uO6rNKQX9rr
+TnxUBBNjVh0bu/gFD3YfgiE+UmPrf0BM2bFFm3fc3Ag4RwkyMnORTjUiKIJIK9LG
+kXIIeDd0SO5Hs+LBvyymOLNX6nsVIFa+tywVWJwPDLwxnf66PIH8E16aGBlsfwFl
+IjiVFp+54VaaOLv5vm+PcbPg4Q2bg3kD25V5U+KNd2FqElryKflrRQekCo1T52FL
+l7HQvyYdI8+E6wKNhO3io86/i9o7rNIl7QtO4OrwuRpoNho33HzqFMMkcz2yCWjR
+ilFzw7bGvAhKeCjrNHMHHpYlbXJ28opMJAfZMr0jLl8z2UuHe2kRCtUJL8sPpqcB
+RFT83/+Zc+3b846OIHf+WXGCtXBJ3XR2m+aZh41I4L4PSDDMebjboTVDvq0pfnvY
+ZIw1FAJTP09Wxe1ZB5xKBNG+MYQm4q0zoP0Os9BhAGAurQUCAwEAAaMhMB8wHQYD
+VR0OBBYEFOfG8eAgUuk0TK2ds09pV1BjFyqZMA0GCSqGSIb3DQEBDAUAA4IBgQCV
+YpKo50L1AjkjVpNnkVGX+mzTEHWkjE5Xhjmc/xsZAMeP2Dg0wSWqU6Vc1gya3Yvc
+Lnbjj1pVh5JLNNrTmCfttqYAuPYNlxkUfbzv5+61gyI4FsCUbddLwql9WSHToyeW
+xW+SmwIkKdRLFOiO927DuHc1G2UVXRPn2YFHTUTeHxZUSvBXvRoeQ+ofgqf54jGq
+oTNTe65/NfXzhQyTycwk3Zz3bRB8La2r20PBpNM8oTGwxbyGrbNYdZb+OwGIjEkB
+KeES8mjwS2PsPy6NdtLxN68No38ilXRzCzQL06lmLYA530n/SigPWbuRRE2JlDmN
+KcU+UQgzGf5gJ8Kut/Kg0K+qI4gq761N4EPnWXE8I59OhGDRzAA6FyJf8PJ9luQc
+pz7Yoc8QxRrDm36eQBBLVmGsnXVUD6FTvuofTjFPMrTOZFCcHNmH9JDdSCQHO1sI
+UCu7bWYGkAF93hFlAfl1h60tmZAyR2gMGwfgyDbdL2XYXA7dDRQftEQvtBmp5zI=
+-----END CERTIFICATE-----