impl: download the cli to a temporary location

fioan89 · fioan89 · commit 881a66259279 · 2025-07-15T23:54:19.000+03:00
The download and signature verification steps are now slightly altered to first download
the cli to a temporary location and only after the signature verification is successful
or the user accepted the risk of running an unsigned binary - then and only then the temp
cli is moved to its final location (actually it is just a rename).

If the delete fails, this prevents the unsigned binary from being picked up as the
cached binary on the next run.
diff --git a/src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt b/src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt
@@ -164,87 +164,88 @@ class CoderCLIManager(
      * Download the CLI from the deployment if necessary.
      */
     suspend fun download(buildVersion: String, showTextProgress: (String) -> Unit): Boolean {
-        val cliResult = withContext(Dispatchers.IO) {
-            downloader.downloadCli(buildVersion, showTextProgress)
-        }.let { result ->
-            when {
-                result.isSkipped() -> return false
-                result.isNotFound() -> throw IllegalStateException("Could not find Coder CLI")
-                result.isFailed() -> throw (result as DownloadResult.Failed).error
-                else -> result as Downloaded
+        try {
+            val cliResult = withContext(Dispatchers.IO) {
+                downloader.downloadCli(buildVersion, showTextProgress)
+            }.let { result ->
+                when {
+                    result.isSkipped() -> return false
+                    result.isNotFound() -> throw IllegalStateException("Could not find Coder CLI")
+                    result.isFailed() -> throw (result as DownloadResult.Failed).error
+                    else -> result as Downloaded
+                }
             }
-        }
-
-        var signatureResult = withContext(Dispatchers.IO) {
-            downloader.downloadSignature(showTextProgress)
-        }
 
-        if (signatureResult.isNotDownloaded()) {
-            context.logger.info("Trying to download signature file from releases.coder.com")
-            signatureResult = withContext(Dispatchers.IO) {
-                downloader.downloadReleasesSignature(buildVersion, showTextProgress)
+            var signatureResult = withContext(Dispatchers.IO) {
+                downloader.downloadSignature(showTextProgress)
             }
-        }
 
-        // if we could not find any signature and the user wants to explicitly
-        // confirm whether we run an unsigned cli
-        if (signatureResult.isNotDownloaded()) {
-            if (context.settingsStore.allowUnsignedBinaryWithoutPrompt) {
-                context.logger.warn("Running unsigned CLI from ${cliResult.source}")
-                return true
-            } else {
-                val acceptsUnsignedBinary = context.ui.showYesNoPopup(
-                    context.i18n.ptrl("Security Warning"),
-                    context.i18n.pnotr("Can't verify the integrity of the Coder CLI pulled from ${cliResult.source}"),
-                    context.i18n.ptrl("Accept"),
-                    context.i18n.ptrl("Abort"),
-                )
+            if (signatureResult.isNotDownloaded()) {
+                context.logger.info("Trying to download signature file from releases.coder.com")
+                signatureResult = withContext(Dispatchers.IO) {
+                    downloader.downloadReleasesSignature(buildVersion, showTextProgress)
+                }
+            }
 
-                if (acceptsUnsignedBinary) {
+            // if we could not find any signature and the user wants to explicitly
+            // confirm whether we run an unsigned cli
+            if (signatureResult.isNotDownloaded()) {
+                if (context.settingsStore.allowUnsignedBinaryWithoutPrompt) {
+                    context.logger.warn("Running unsigned CLI from ${cliResult.source}")
+                    downloader.commit()
                     return true
                 } else {
-                    // remove the cli, otherwise next time the user tries to login the cached cli is picked up,
-                    // and we don't verify cached cli signatures
-                    Files.delete(cliResult.dst)
-                    throw UnsignedBinaryExecutionDeniedException("Running unsigned CLI from ${cliResult.source} was denied by the user")
+                    val acceptsUnsignedBinary = context.ui.showYesNoPopup(
+                        context.i18n.ptrl("Security Warning"),
+                        context.i18n.pnotr("Can't verify the integrity of the Coder CLI pulled from ${cliResult.source}"),
+                        context.i18n.ptrl("Accept"),
+                        context.i18n.ptrl("Abort"),
+                    )
+
+                    if (acceptsUnsignedBinary) {
+                        downloader.commit()
+                        return true
+                    } else {
+                        throw UnsignedBinaryExecutionDeniedException("Running unsigned CLI from ${cliResult.source} was denied by the user")
+                    }
                 }
             }
-        }
-
-        // we have the cli, and signature is downloaded, let's verify the signature
-        signatureResult = signatureResult as Downloaded
-        gpgVerifier.verifySignature(cliResult.dst, signatureResult.dst).let { result ->
-            when {
-                result.isValid() -> return true
-                else -> {
-                    // remove the cli, otherwise next time the user tries to login the cached cli is picked up,
-                    // and we don't verify cached cli signatures
-                    runCatching { Files.delete(cliResult.dst) }
-                        .onFailure { ex ->
-                            context.logger.warn(ex, "Failed to delete CLI file: ${cliResult.dst}")
-                        }
 
-                    val exception = when {
-                        result.isInvalid() -> {
-                            val reason = (result as Invalid).reason
-                            UnsignedBinaryExecutionDeniedException(
-                                "Signature of ${cliResult.dst} is invalid." + reason?.let { " Reason: $it" }.orEmpty()
-                            )
-                        }
-
-                        result.signatureIsNotFound() -> {
-                            UnsignedBinaryExecutionDeniedException(
-                                "Can't verify signature of ${cliResult.dst} because ${signatureResult.dst} does not exist"
-                            )
-                        }
+            // we have the cli, and signature is downloaded, let's verify the signature
+            signatureResult = signatureResult as Downloaded
+            gpgVerifier.verifySignature(cliResult.dst, signatureResult.dst).let { result ->
+                when {
+                    result.isValid() -> {
+                        downloader.commit()
+                        return true
+                    }
 
-                        else -> {
-                            UnsignedBinaryExecutionDeniedException((result as Failed).error.message)
+                    else -> {
+                        val exception = when {
+                            result.isInvalid() -> {
+                                val reason = (result as Invalid).reason
+                                UnsignedBinaryExecutionDeniedException(
+                                    "Signature of ${cliResult.dst} is invalid." + reason?.let { " Reason: $it" }
+                                        .orEmpty()
+                                )
+                            }
+
+                            result.signatureIsNotFound() -> {
+                                UnsignedBinaryExecutionDeniedException(
+                                    "Can't verify signature of ${cliResult.dst} because ${signatureResult.dst} does not exist"
+                                )
+                            }
+
+                            else -> {
+                                UnsignedBinaryExecutionDeniedException((result as Failed).error.message)
+                            }
                         }
+                        throw exception
                     }
-                    throw exception
                 }
             }
+        } finally {
+            downloader.cleanup()
         }
     }
 
@@ -475,7 +476,7 @@ class CoderCLIManager(
             }
 
             else -> {
-                // An error here most likely means the CLI does not exist or
+                // An error here most likely means the CLI does not exist, or
                 // it executed successfully but output no version which
                 // suggests it is not the right binary.
                 context.logger.info("Unable to determine $localBinaryPath version: ${e.message}")
diff --git a/src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadService.kt b/src/main/kotlin/com/coder/toolbox/cli/downloader/CoderDownloadService.kt
@@ -7,6 +7,8 @@ import com.coder.toolbox.util.SemVer
 import com.coder.toolbox.util.getHeaders
 import com.coder.toolbox.util.getOS
 import com.coder.toolbox.util.sha1
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
 import okhttp3.ResponseBody
 import retrofit2.Response
 import java.io.FileInputStream
@@ -17,6 +19,7 @@ import java.net.URI
 import java.net.URL
 import java.nio.file.Files
 import java.nio.file.Path
+import java.nio.file.StandardCopyOption
 import java.nio.file.StandardOpenOption
 import java.util.zip.GZIPInputStream
 import kotlin.io.path.name
@@ -31,13 +34,14 @@ class CoderDownloadService(
     private val deploymentUrl: URL,
     forceDownloadToData: Boolean,
 ) {
-    val remoteBinaryURL: URL = context.settingsStore.binSource(deploymentUrl)
-    val localBinaryPath: Path = context.settingsStore.binPath(deploymentUrl, forceDownloadToData)
+    private val remoteBinaryURL: URL = context.settingsStore.binSource(deploymentUrl)
+    private val cliFinalDst: Path = context.settingsStore.binPath(deploymentUrl, forceDownloadToData)
+    private val cliTempDst: Path = cliFinalDst.resolveSibling("${cliFinalDst.name}.tmp")
 
     suspend fun downloadCli(buildVersion: String, showTextProgress: (String) -> Unit): DownloadResult {
         val eTag = calculateLocalETag()
         if (eTag != null) {
-            context.logger.info("Found existing binary at $localBinaryPath; calculated hash as $eTag")
+            context.logger.info("Found existing binary at $cliFinalDst; calculated hash as $eTag")
         }
         val response = downloadApi.downloadCli(
             url = remoteBinaryURL.toString(),
@@ -47,13 +51,13 @@ class CoderDownloadService(
 
         return when (response.code()) {
             HTTP_OK -> {
-                context.logger.info("Downloading binary to $localBinaryPath")
-                response.saveToDisk(localBinaryPath, showTextProgress, buildVersion)?.makeExecutable()
-                DownloadResult.Downloaded(remoteBinaryURL, localBinaryPath)
+                context.logger.info("Downloading binary to temporary $cliTempDst")
+                response.saveToDisk(cliTempDst, showTextProgress, buildVersion)?.makeExecutable()
+                DownloadResult.Downloaded(remoteBinaryURL, cliTempDst)
             }
 
             HTTP_NOT_MODIFIED -> {
-                context.logger.info("Using cached binary at $localBinaryPath")
+                context.logger.info("Using cached binary at $cliFinalDst")
                 showTextProgress("Using cached binary")
                 DownloadResult.Skipped
             }
@@ -67,14 +71,40 @@ class CoderDownloadService(
         }
     }
 
+    /**
+     * Renames the temporary binary file to its original destination name.
+     * The implementation will override sibling file that has the original
+     * destination name.
+     */
+    suspend fun commit(): Path {
+        return withContext(Dispatchers.IO) {
+            context.logger.info("Renaming binary from $cliTempDst to $cliFinalDst")
+            Files.move(cliTempDst, cliFinalDst, StandardCopyOption.REPLACE_EXISTING)
+            cliFinalDst.makeExecutable()
+            cliFinalDst
+        }
+    }
+
+    /**
+     * Cleans up the temporary binary file if it exists.
+     */
+    suspend fun cleanup() {
+        withContext(Dispatchers.IO) {
+            runCatching { Files.deleteIfExists(cliTempDst) }
+                .onFailure { ex ->
+                    context.logger.warn(ex, "Failed to delete temporary CLI file: $cliTempDst")
+                }
+        }
+    }
+
     private fun calculateLocalETag(): String? {
         return try {
-            if (localBinaryPath.notExists()) {
+            if (cliFinalDst.notExists()) {
                 return null
             }
-            sha1(FileInputStream(localBinaryPath.toFile()))
+            sha1(FileInputStream(cliFinalDst.toFile()))
         } catch (e: Exception) {
-            context.logger.warn(e, "Unable to calculate hash for $localBinaryPath")
+            context.logger.warn(e, "Unable to calculate hash for $cliFinalDst")
             null
         }
     }
@@ -124,7 +154,7 @@ class CoderDownloadService(
                 }
             }
         }
-        return localBinaryPath
+        return cliFinalDst
     }
 
 
@@ -154,7 +184,7 @@ class CoderDownloadService(
 
     private suspend fun downloadSignature(url: URL, showTextProgress: (String) -> Unit): DownloadResult {
         val signatureURL = url.toURI().resolve(context.settingsStore.defaultSignatureNameByOsAndArch).toURL()
-        val localSignaturePath = localBinaryPath.parent.resolve(context.settingsStore.defaultSignatureNameByOsAndArch)
+        val localSignaturePath = cliFinalDst.parent.resolve(context.settingsStore.defaultSignatureNameByOsAndArch)
         context.logger.info("Downloading signature from $signatureURL")
 
         val response = downloadApi.downloadSignature(
