From d48a6b245a95991170cc86bab55128730d288cae Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 27 May 2026 09:18:14 -0700
Subject: [PATCH 1/2] Harden coverity tool download: curl -L --fail + gzip
 sanity check

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/coverity-scan-fixes.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/coverity-scan-fixes.yml b/.github/workflows/coverity-scan-fixes.yml
index 804baa10..9f17a2e9 100644
--- a/.github/workflows/coverity-scan-fixes.yml
+++ b/.github/workflows/coverity-scan-fixes.yml
@@ -63,10 +63,16 @@ jobs:
       env:
         TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN_WOLFTPM }}
       run: |
-        curl https://scan.coverity.com/download/cxx/linux64 \
-          --no-progress-meter \
+        curl -L --fail --no-progress-meter \
           --output cov-analysis.tar.gz \
-          --data "token=${TOKEN}&project=wolfTPM"
+          --data "token=${TOKEN}&project=wolfTPM" \
+          https://scan.coverity.com/download/cxx/linux64
+        file cov-analysis.tar.gz
+        if ! gzip -t cov-analysis.tar.gz 2>/dev/null; then
+          echo "Downloaded file is not gzip — server response:"
+          head -c 2000 cov-analysis.tar.gz
+          exit 1
+        fi
         mkdir -p cov-analysis
         tar -xzf cov-analysis.tar.gz --strip 1 -C cov-analysis
 

From ccea60fd60bec3ee2d8dabf77858e57a48304cb5 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 29 May 2026 09:56:26 -0700
Subject: [PATCH 2/2] Fix flaky fwtpm tpm2_sign tampered-ticket negative test

---
 scripts/tpm2_tools_test.sh | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/scripts/tpm2_tools_test.sh b/scripts/tpm2_tools_test.sh
index d255e8ce..4b39ccbf 100755
--- a/scripts/tpm2_tools_test.sh
+++ b/scripts/tpm2_tools_test.sh
@@ -1250,10 +1250,20 @@ run_test "tpm2_sign consumes TK_HASHCHECK ticket" \
         -o "$TEST_TMPDIR/hs_sig.bin" \
         "$TEST_TMPDIR/hs_digest.bin"
 
-# Negative: tamper ticket bytes; sign should reject (TPM_RC_TICKET).
+# Negative: corrupt the ticket digest; sign should reject (TPM_RC_TICKET).
+# Overwrite the trailing half of the ticket (where the HMAC digest lives)
+# rather than a single byte with a fixed value. A one-byte constant
+# overwrite is a no-op ~1/256 of the time when the original byte already
+# equals that value, leaving the ticket valid and making this test flaky.
+# Mirrors the robust tamper used by the certifycreation test above.
 cp "$TEST_TMPDIR/hs_ticket.bin" "$TEST_TMPDIR/hs_ticket.bad"
-printf '\x55' | dd of="$TEST_TMPDIR/hs_ticket.bad" \
-    bs=1 count=1 seek=16 conv=notrunc 2>/dev/null
+HS_TICKET_SIZE=$(wc -c < "$TEST_TMPDIR/hs_ticket.bad")
+HS_TAMPER_OFFSET=$((HS_TICKET_SIZE / 2))
+HS_TAMPER_LEN=$((HS_TICKET_SIZE - HS_TAMPER_OFFSET))
+dd if=/dev/zero bs=1 count="$HS_TAMPER_LEN" 2>/dev/null \
+    | tr '\000' '\125' \
+    | dd of="$TEST_TMPDIR/hs_ticket.bad" \
+        bs=1 seek="$HS_TAMPER_OFFSET" conv=notrunc 2>/dev/null
 run_test_fail "tpm2_sign rejects tampered TK_HASHCHECK (TPM_RC_TICKET)" \
     tpm2_sign -c "$TEST_TMPDIR/hs_sign.ctx" \
         -g sha256 -d -t "$TEST_TMPDIR/hs_ticket.bad" \