Skip to content

fix: plugins explicit error matching#87

Closed
yacosta738 wants to merge 2 commits into
mainfrom
fix/plugins-explicit-error-matching-12980468180533261429
Closed

fix: plugins explicit error matching#87
yacosta738 wants to merge 2 commits into
mainfrom
fix/plugins-explicit-error-matching-12980468180533261429

Conversation

@yacosta738
Copy link
Copy Markdown
Contributor

@yacosta738 yacosta738 commented Feb 26, 2026
edited by coderabbitai Bot
Loading

This pull request introduces several improvements to certificate chain validation for plugins, focusing on more robust handling of Fulcio keyless certificates and clarifying code semantics. The main enhancements include correcting the encoding of the code signing OID, embedding a fallback Fulcio intermediate certificate, and improving the handling of expired certificates during runtime verification.

Certificate validation robustness:

  • Corrected the DER encoding for CODE_SIGNING_EKU_OID to match what webpki::KeyUsage::required_if_present expects, ensuring proper code signing verification.
  • Added an embedded Fulcio intermediate certificate (FULCIO_INTERMEDIATE_CERT_1_PEM) and updated logic to use it as a fallback if no intermediates are found in the chain, improving reliability of certificate validation. [1] [2]

Runtime certificate verification logic:

  • Refined runtime verification to explicitly allow expired Fulcio certificates, logging time-based errors at debug level and failing only on other verification errors, which improves installability of previously published artifacts. [1] [2] [3]
  • Clarified comments and variable names to better explain the distinction between install-time and runtime certificate checks, improving code readability and maintainability.

Dependency update:

  • Imported the Error type from webpki to enable more granular error handling during certificate verification.

Summary by CodeRabbit

  • Bug Fixes
    • Enhanced certificate chain verification with automatic fallback to embedded intermediates, improving validation robustness
    • Refined runtime certificate validation error handling to gracefully process time-related errors without causing failures
    • Improved error logging for time-based certificate validation issues during runtime verification

yacosta738 and others added 2 commits February 25, 2026 22:41
@yacosta738
fix(plugins): update code signing EKU OID encoding and improve Fulcio…
1ded432 
… intermediate handling

- Correct DER encoding for CODE_SIGNING_EKU_OID to match webpki expectations
- Add embedded Fulcio intermediate certificate and use as fallback if none provided
- Clarify certificate validity checks and error handling for expired certs
@google-labs-jules @yacosta738
fix(agent-runtime): use explicit webpki error matching for certificat…
10c343a 
…e validity

Replace string-based error matching with explicit rustls-webpki Error variants in plugin signature verification.

Co-authored-by: yacosta738 <33158051+yacosta738@users.noreply.github.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Feb 26, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 corvus-plugins-edge 10c343a Feb 25 2026, 10:21 PM

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Feb 26, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eaca946 and 10c343a.

📒 Files selected for processing (1)
  • clients/agent-runtime/src/plugins/mod.rs
📝 Walkthrough

Walkthrough

Certificate verification logic in the agent-runtime is modified to convert the CODE_SIGNING_EKU_OID to DER-encoded bytes, add a Fulcio intermediate as a fallback in the chain, validate certificates against Fulcio trust anchors using expanded verification paths, and treat time-based validation errors as non-fatal during runtime re-verification.

Changes

Cohort / File(s) Summary
Certificate Verification Logic
clients/agent-runtime/src/plugins/mod.rs		 Adds webpki Error import; converts CODE_SIGNING_EKU_OID from OID arc array to DER-encoded byte sequence; implements Fulcio intermediate fallback when parsed chain is empty; expands end-entity certificate verification to include intermediates and UnixTime validation against Fulcio trust anchors; treats time-related errors (expired/not-yet-valid) as non-fatal (debug-logged) during runtime verification while preserving install-time checks; updates validity flag handling and error context logging for new control flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/plugins-explicit-error-matching-12980468180533261429

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@yacosta738 yacosta738 closed this Feb 26, 2026
@yacosta738 yacosta738 deleted the fix/plugins-explicit-error-matching-12980468180533261429 branch March 6, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yacosta738