Security: Sign and verify VM Agent binaries

[raphaeltm]

Summary

The VM Agent binary is downloaded from R2 during cloud-init and executed on VMs. Currently there is no verification that the binary hasn't been tampered with.

Risk

If R2 is compromised (or an attacker gains upload access), malicious binaries could be deployed to all new VMs, giving them:

• Access to user workspaces
• Access to credentials passed via cloud-init
• Ability to exfiltrate code and data

Proposed Solution

1. Build-time: Sign the VM Agent binary with a private key (stored as GitHub secret)
2. Upload-time: Include signature file alongside binary in R2
3. Cloud-init: Verify signature before executing binary

Implementation Details

# In cloud-init, before executing agent:
curl -sO ${AGENT_URL}
curl -sO ${AGENT_URL}.sig
openssl dgst -sha256 -verify /etc/vm-agent/public-key.pem -signature vm-agent.sig vm-agent
if [ $? -ne 0 ]; then
  echo "Agent binary verification failed!" >> /var/log/cloud-init-output.log
  exit 1
fi
chmod +x vm-agent && ./vm-agent

Tasks

• Generate signing keypair, store private in GitHub secrets
• Add signing step to CI/CD pipeline after Go build
• Upload .sig file alongside binary to R2
• Embed public key in cloud-init template
• Add verification step to cloud-init before agent execution
• Document key rotation procedure

Priority

Medium - Not blocking MVP launch for self-hosted use, but should be addressed before any hosted/multi-tenant deployment.

Labels

enhancement, security