From 6a7f62f0ee840ca217b6a49a88204d6b4c6ee553 Mon Sep 17 00:00:00 2001
From: afresh1 <afresh1@openbsd.org>
Date: Sun, 20 Feb 2022 19:24:19 +0000
Subject: [PATCH] Remove downloaded SHA256.sig if signature validation fails

Without the "noclobber" setting we would have overwitten with an empty
file and best not to leave a failed file around.

Noticed by florian@
---
 usr.sbin/fw_update/fw_update.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/fw_update/fw_update.sh b/usr.sbin/fw_update/fw_update.sh
index 89bc23bc193..06412feca81 100644
--- a/usr.sbin/fw_update/fw_update.sh
+++ b/usr.sbin/fw_update/fw_update.sh
@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: fw_update.sh,v 1.40 2022/02/20 18:06:05 afresh1 Exp $
+#	$OpenBSD: fw_update.sh,v 1.41 2022/02/20 19:24:19 afresh1 Exp $
 #
 # Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org>
 #
@@ -146,7 +146,8 @@ fetch_cfile() {
 		fetch "$CFILE" || return 1
 		set -o noclobber
 		! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" &&
-		    echo "Signature check of SHA256.sig failed" >&2 && return 1
+		    echo "Signature check of SHA256.sig failed" >&2 &&
+		    rm -f "$CFILE" && return 1
 	elif [ ! -e "$CFILE" ]; then
 		echo "${0##*/}: $CFILE: No such file or directory" >&2
 		return 1
-- 
2.20.1