From 62dc983f1a027a1a4c563ac66efeacb2ffca04ba Mon Sep 17 00:00:00 2001
From: Kristaps Kaupe <kristaps@blogiem.lv>
Date: Mon, 29 Aug 2022 00:00:46 +0300
Subject: [PATCH] Check sha256 hashes for downloads before GPG signature
 validation

---
 install.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/install.sh b/install.sh
index bbd1707..da5542a 100755
--- a/install.sh
+++ b/install.sh
@@ -206,6 +206,9 @@ dep_get ()
     if [ ! -f "${pkg_name}" ] || ! sha256_verify "${pkg_hash}" "${pkg_name}"; then
         http_get "${pkg_url}/${pkg_name}" "${pkg_name}"
     fi
+    if ! sha256_verify "${pkg_hash}" "${pkg_name}"; then
+        return 1
+    fi
     if [[ -n "${pkg_hash_file}" ]]; then
         http_get "${pkg_url}/${pkg_hash_file}" "${pkg_hash_file}"
         if [[ -n "${pkg_hash_file_sig}" ]]; then
@@ -221,9 +224,6 @@ dep_get ()
         http_get "${pkg_url}/${pkg_sig}" "${pkg_sig}"
         gpg_verify "../../pubkeys/third-party/${pkg_pubkeys}" "${pkg_sig}"
     fi
-    if ! sha256_verify "${pkg_hash}" "${pkg_name}"; then
-        return 1
-    fi
     tar -xzf "${pkg_name}" -C ../
     popd
 }