keep-desktop: add opt-in strict certificate pinning toggle#826
Conversation
|
Warning Review limit reached
Next review available in: 48 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
WalkthroughA new opt-in desktop setting controls strict TLS certificate pinning. The value is persisted, exposed in the settings UI, propagated into relay verification, and documented with pin provisioning instructions. Strict mode rejects unpinned relays while retaining pin-mismatch errors. ChangesStrict certificate pinning
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Closes the remaining desktop half of #786. keep-desktop hardcoded
require_pinned = falseinverify_relay_certificates, so both the relay-connect path and the bunker path always trusted an un-pinnedwss://relay on first use. keep-mobile already ships the persisted opt-in toggle; this brings desktop to parity and documents out-of-band pin provisioning.Changes
Settings.strict_cert_pinning(persisted insettings.json,#[serde(default)], off by default): strict pinning stays opt-in, and a settings file written before the field existed keeps parsing with strict mode off.verify_relay_certificatestakes arequire_pinnedpolicy parameter;NetworkConfigcarries it fromApp::network_config()(relay-connect path), and the bunker start path captures it from settings. When enabled, awss://relay with no recorded pin is rejected fail-closed instead of TOFU-pinned.save_settings).docs/SECURITY.md: documents the first-use TOFU window, how to enable strict mode on desktop/mobile, and how to provision relay SPKI pins out-of-band (cert-pins.jsonhostname → SPKI SHA-256 hex, with anopensslone-liner that matches the pin computation: SHA-256 over the DER-encoded SubjectPublicKeyInfo).Verification
settings.jsonwithout the field parses with strict mode off; the setting round-trips through serde; the toggle message updates both the persisted settings and the screen state (and asserts the opt-in default).cargo test -p keep-desktop: 68 passed.cargo clippy -p keep-desktop --all-targets: clean.Summary by CodeRabbit
New Features
Documentation