# Contract: Vendor Installer Verification

Version: 1.1

## Purpose

Rules for downloading and verifying proprietary vendor installers (`.run`, `.exe`, `.tar.gz`)
where the vendor publishes a checksum alongside the binary.
Applies to: NVIDIA drivers, vendor CLI tools, firmware packages.

See `README.md` for shell snippets.

## Rules

- Download the checksum file **before** the installer — never after. If the download is
  interrupted, you still have the expected checksum to verify against on retry.
- Verify checksum before extracting or executing.
- On mismatch: delete the file, exit with error. Never proceed with a bad installer.
- Never assume a cached file is valid — a previous download may have been interrupted.
  **Never check only for file existence**: the file must be non-empty (`-s`) AND pass checksum.
- Cache by `version` + any secondary key (e.g. kernel version for compiled modules).
- Before writing build scripts, verify the version URL actually exists (`curl -sIL`).
  A `404` or `content-length: 0` means the version is absent on that CDN; vendor version
  numbering may have gaps.
- Never commit installer files to git — always download at build time.
- Log the expected hash when downloading so failures are diagnosable.