bible/rules/patterns/vendor-installer-verification/README.md

# Vendor Installer Verification Pattern Notes

This file keeps examples. The normative rules live in `contract.md`.

## Download Order

```sh
BASE_URL="https://vendor.example.com/downloads/${VERSION}"
BIN_FILE="/var/cache/vendor-${VERSION}.run"
SHA_FILE="/var/cache/vendor-${VERSION}.run.sha256sum"

# 1. Download checksum first
wget -q -O "$SHA_FILE" "${BASE_URL}/vendor-${VERSION}.run.sha256sum"

# 2. Download installer
wget --show-progress -O "$BIN_FILE" "${BASE_URL}/vendor-${VERSION}.run"

# 3. Verify
cd /var/cache
sha256sum -c "$SHA_FILE" || { echo "ERROR: sha256 mismatch"; rm -f "$BIN_FILE"; exit 1; }
```

## Cache with Verification

```sh
verify_cached() {
    [ -s "$SHA_FILE" ] || return 1   # sha256 file missing or empty
    [ -s "$BIN_FILE" ] || return 1   # binary missing or empty
    cd "$(dirname "$BIN_FILE")"
    sha256sum -c "$SHA_FILE" --status 2>/dev/null
}

if ! verify_cached; then
    rm -f "$BIN_FILE" "$SHA_FILE"
    # ... download and verify
else
    echo "verified from cache"
fi
```

## Version Validation

```sh
curl -sIL "https://vendor.example.com/downloads/${VERSION}/installer.run" \
    | grep -i 'http/\|content-length'
```