A new UI setting was introduced to allow users to run unsigned binaries
without any input from the user. Defaults to false which means if a binary
is unsigned we will ask the user what to do next.

I moved and modified the logic from CliManager.download to a separate
http client based on okhttp and retrofit. The refactor will allow us
to easily add new steps in the main download method, and also to easily
download new resources. Long term we could also re-use the okhttp client
to avoid setting twice the same boilerplate (proxy which is missing from CLIManager,
hostname verification and other tls settings) between cli downloader and the rest client

From the same source where the cli binary was downloaded.
Some of the previous classes like download result were updated to incorporate
details like where the file was saved or whether a file was found on the remote

`allowUnsignedBinaryWithoutPrompt` was caching the initial value read from the
store, which required a restart of Toolbox for the real value to reflect.

A pop-up dialog is displayed asking the user if he wants to run an unsigned
cli version. The pop-up can be skipped if the user configures the `Allow unsigned binary execution without prompt`

…ication

Adds logic to verify the CLI against a detached GPG signature with the help of bouncycastle library

This is the key that validates if the gpg signature was tampered

Initially I thought about embedding it as a const string in the code
but the string is too big, best to save it as resource file.
The code changes are mostly related to loading the key from the file.

Signature verification some operations that are cpu bound that are light, like
decoding and decompressing signature data, some medium CPU intensive operations
like the cryptographic verifications and a couple of blocking IO operations:
- reading the cli file
- reading the signature file
- reading the public key file

These last should run on the IO thread to not block the main thread from drawing the screen.
The cpu bound operation should run on the default thread.

previous implementation was selecting only the first key ring from the public key file
which turns out to be wrong. Instead, we should keep all the key rings and search signature
key id in all the key rings.

Otherwise, at the next Toolbox restart the signature will no longer be verified,
and we run into the risk of running unsigned binaries.

`Files.readAllBytes()` uses direct buffers internally which can be filled up quickly when
called repeatedly in coroutines, as these buffers are not released quickly by the GC.
The scenario can be reproduced by trying to login a couple of times one after the other with
signature verification failing each time.

Instead, we can avoid memory issues by streaming the cli and feed only blocks of bytes into the signature calculation.

When there is no signature and the user allowed running of unsigned binaries without prompt

A major feature was added

And also disable the work in progress animations after a fatal error occurred.
Most exceptions, especially the ones related to cli signature verification were
suppressed and only displayed in the logs with no visual feedback.

The logic for matching the local CLI version with the deployment previously attempted to run
the CLI with --version without first verifying that the binary existed. This commit improves
that by first checking if the file exists, avoiding the unnecessary overhead of spawning a
process for a non-existent binary.

…er-cli

Retroactive cli signatures are now published at releases.coder.com/coder-cli/x.y.z/
where x.y.z is the major, minor and patch version of the deployment.

…blished

We now have a lot of signatures published for a lot of older cli version which means
some of the tests that were not expecting the fallback to activate are now in trouble.
The simple fix is to "download" a very old version for which signatures will not be generated.

Instead of deriving the signature name from the cli name it is now coded
into settings store just like the default cli name

It is already supported by java.net.URI

The download and signature verification steps are now slightly altered to first download
the cli to a temporary location and only after the signature verification is successful
or the user accepted the risk of running an unsigned binary - then and only then the temp
cli is moved to its final location (actually it is just a rename).

If the delete fails, this prevents the unsigned binary from being picked up as the
cached binary on the next run.

Ask the user if he wants to accept the risk of running a potentially tampered
CLI when signature verification failed (i.e. we downloaded the signatures but either
it doesn't match or there were some error while computing the signature.

We are going to ask the user only once during the initial login screen if he wants to
fallback on releases.coder.com when signatures are not present in the coder deployment.
However, we still want to leave him the option to later change his mind the in Settings page.

The user can opt in to fallback on releases.coder.com from the login screen
only once. Later on he can change his mind in the Settings page.

Unless we restart toolbox. This happens because the UI fields are initialized only
once when the page is created. If we switch to a different page that can update the
settings (for example the login screen can alter the fallback strategy when signature
are missing) and then come back to the settings page - in that case Toolbox does not
request the settings again from the settings store.

This happens in the following cases:
- if the deployment did not have any signatures and user decided to fallback on
  releases.coder.com but the fallback did not have any signature or we failed to download it.
- similarly if the user does not want to fallback we still ask him if he wants to run the
  unverified cli