fix: avoid out of memory when verifying signatures

fioan89 · fioan89 · commit 6a799954bde1 · 2025-07-12T00:28:10.000+03:00
`Files.readAllBytes()` uses direct buffers internally which can be filled up quickly when
called repeatedly in coroutines, as these buffers are not released quickly by the GC.
The scenario can be reproduced by trying to login a couple of times one after the other with
signature verification failing each time.

Instead, we can avoid memory issues by streaming the cli and feed only blocks of bytes into the signature calculation.
diff --git a/src/main/kotlin/com/coder/toolbox/cli/gpg/GPGVerifier.kt b/src/main/kotlin/com/coder/toolbox/cli/gpg/GPGVerifier.kt
@@ -20,6 +20,7 @@ import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProv
 import java.io.ByteArrayInputStream
 import java.nio.file.Files
 import java.nio.file.Path
+import kotlin.io.path.inputStream
 
 class GPGVerifier(
     private val context: CoderToolboxContext,
@@ -35,15 +36,14 @@ class GPGVerifier(
                 return SignatureNotFound
             }
 
-            val (cliBytes, signatureBytes, publicKeyRing) = withContext(Dispatchers.IO) {
-                val cliBytes = Files.readAllBytes(cli)
+            val (signatureBytes, publicKeyRing) = withContext(Dispatchers.IO) {
                 val signatureBytes = Files.readAllBytes(signature)
                 val publicKeyRing = getCoderPublicKeyRings()
 
-                Triple(cliBytes, signatureBytes, publicKeyRing)
+                Pair(signatureBytes, publicKeyRing)
             }
             return verifyDetachedSignature(
-                cliBytes = cliBytes,
+                cliPath = cli,
                 signatureBytes = signatureBytes,
                 publicKeyRings = publicKeyRing
             )
@@ -83,7 +83,7 @@ class GPGVerifier(
      * Verify a detached GPG signature
      */
     fun verifyDetachedSignature(
-        cliBytes: ByteArray,
+        cliPath: Path,
         signatureBytes: ByteArray,
         publicKeyRings: List<PGPPublicKeyRing>
     ): VerificationResult {
@@ -102,7 +102,13 @@ class GPGVerifier(
                 ?: throw PGPException("Public key not found for signature")
 
             signature.init(JcaPGPContentVerifierBuilderProvider(), publicKey)
-            signature.update(cliBytes)
+            cliPath.inputStream().use { fileStream ->
+                val buffer = ByteArray(8192)
+                var bytesRead: Int
+                while (fileStream.read(buffer).also { bytesRead = it } != -1) {
+                    signature.update(buffer, 0, bytesRead)
+                }
+            }
 
             val isValid = signature.verify()
             context.logger.info("GPG signature verification result: $isValid")
