From 8c6690f7d569c9127e2edea0b97956ac59a6e040 Mon Sep 17 00:00:00 2001
From: andrussal <salumets.andrus@gmail.com>
Date: Wed, 3 Dec 2025 04:11:43 +0100
Subject: [PATCH] Harden nomos-circuits download/extract

---
 scripts/setup-nomos-circuits.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scripts/setup-nomos-circuits.sh b/scripts/setup-nomos-circuits.sh
index bbd2dd1..e70f8d0 100755
--- a/scripts/setup-nomos-circuits.sh
+++ b/scripts/setup-nomos-circuits.sh
@@ -110,7 +110,7 @@ download_release() {
     print_info "URL: $url"
 
     # Build curl command with optional authentication
-    local curl_cmd="curl -L"
+    local curl_cmd="curl -fL --retry 5 --retry-delay 2 --retry-all-errors"
     if [ -n "$GITHUB_TOKEN" ]; then
         curl_cmd="$curl_cmd --header 'authorization: Bearer ${GITHUB_TOKEN}'"
     fi
@@ -126,6 +126,13 @@ download_release() {
 
     print_success "Download complete"
 
+    # Validate archive before extracting
+    if ! tar -tzf "${temp_dir}/${artifact}" >/dev/null 2>&1; then
+        print_error "Downloaded archive is not a valid tar.gz: ${temp_dir}/${artifact}"
+        rm -rf "$temp_dir"
+        return 1
+    fi
+
     print_info "Extracting to ${INSTALL_DIR}..."
     mkdir -p "$INSTALL_DIR"