wolfSSL · dgarske · May 27, 2026 · May 29, 2026
diff --git a/.github/workflows/coverity-scan-fixes.yml b/.github/workflows/coverity-scan-fixes.yml
@@ -63,10 +63,16 @@ jobs:
       env:
         TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN_WOLFTPM }}
       run: |
-        curl https://scan.coverity.com/download/cxx/linux64 \
-          --no-progress-meter \
+        curl -L --fail --no-progress-meter \
           --output cov-analysis.tar.gz \
-          --data "token=${TOKEN}&project=wolfTPM"
+          --data "token=${TOKEN}&project=wolfTPM" \
+          https://scan.coverity.com/download/cxx/linux64
+        file cov-analysis.tar.gz
+        if ! gzip -t cov-analysis.tar.gz 2>/dev/null; then
+          echo "Downloaded file is not gzip — server response:"
+          head -c 2000 cov-analysis.tar.gz
+          exit 1
+        fi
         mkdir -p cov-analysis
         tar -xzf cov-analysis.tar.gz --strip 1 -C cov-analysis
 

diff --git a/scripts/tpm2_tools_test.sh b/scripts/tpm2_tools_test.sh
@@ -1250,10 +1250,20 @@ run_test "tpm2_sign consumes TK_HASHCHECK ticket" \
         -o "$TEST_TMPDIR/hs_sig.bin" \
         "$TEST_TMPDIR/hs_digest.bin"
 
-# Negative: tamper ticket bytes; sign should reject (TPM_RC_TICKET).
+# Negative: corrupt the ticket digest; sign should reject (TPM_RC_TICKET).
+# Overwrite the trailing half of the ticket (where the HMAC digest lives)
+# rather than a single byte with a fixed value. A one-byte constant
+# overwrite is a no-op ~1/256 of the time when the original byte already
+# equals that value, leaving the ticket valid and making this test flaky.
+# Mirrors the robust tamper used by the certifycreation test above.
 cp "$TEST_TMPDIR/hs_ticket.bin" "$TEST_TMPDIR/hs_ticket.bad"
-printf '\x55' | dd of="$TEST_TMPDIR/hs_ticket.bad" \
-    bs=1 count=1 seek=16 conv=notrunc 2>/dev/null
+HS_TICKET_SIZE=$(wc -c < "$TEST_TMPDIR/hs_ticket.bad")
+HS_TAMPER_OFFSET=$((HS_TICKET_SIZE / 2))
+HS_TAMPER_LEN=$((HS_TICKET_SIZE - HS_TAMPER_OFFSET))
+dd if=/dev/zero bs=1 count="$HS_TAMPER_LEN" 2>/dev/null \
+    | tr '\000' '\125' \
+    | dd of="$TEST_TMPDIR/hs_ticket.bad" \
+        bs=1 seek="$HS_TAMPER_OFFSET" conv=notrunc 2>/dev/null
 run_test_fail "tpm2_sign rejects tampered TK_HASHCHECK (TPM_RC_TICKET)" \
     tpm2_sign -c "$TEST_TMPDIR/hs_sign.ctx" \
         -g sha256 -d -t "$TEST_TMPDIR/hs_ticket.bad" \