Remove go-getter from GetContent

Remove the go-getter dependency from bundlereader and replace its use
with go-git for git sources and stdlib HTTP for HTTP archive extraction.

CA bundles augment the system pool rather than replacing it; go-git
creates an isolated transport per clone so concurrent clones with
different CAs need no mutex. SCP-style SSH sources accept any username,
and forced-scheme prefixes (git::, ssh::) are normalised to proper URLs.
Source shorthands cover GitHub, GitLab, and Bitbucket.

HTTP archives (tar.gz, tar.bz2, tar.zst, tar, gz, bz2, zst, zip) are
extracted inline; ?checksum=<type>:<hex> verifies the body via a
TeeReader; ?archive= overrides extension detection. Symlink and path
traversal in tar and zip archives are rejected. Error messages redact
any embedded credentials in clone URLs.

Author: thardeck

e2e/single-cluster/go_getter_custom_ca_test.go

@@ -21,15 +21,12 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
-// Those tests are specifically targeting one feature of go-getter, namely cloning of git
-// repositories using HTTPS. That is, because TLS certificates are only used in HTTPS URLs, not if
-// SSH keys are used to clone those repositories. Since go-getter shells out to the `git` CLI for
-// cloning git repositories, the configuration of TLS certificates or ignoring those needs to be
-// configured with `git` typical environment variables. Those are the tests for that implementation.
-// For go-getter to be used, the `helm.chart` field in `fleet.yaml` needs to point to a URL that
-// tells go-getter to use the git protocol over HTTPS. Such an URL is prefixed with `git::https://`.
-// The contents fetched from those repositories are expected to be helm charts.
-var _ = Describe("Testing go-getter CA bundles and insecureSkipVerify for cloning git repositories", Label("infra-setup"), func() {
+// These tests cover HTTPS cloning of git repositories via the `git::https://` URL prefix in
+// `helm.chart`, including TLS certificate configuration (custom CA bundles and InsecureSkipVerify).
+// The implementation uses go-git directly; the `git::` prefix is detected by Fleet's source parser
+// and dispatched to the go-git–based fetcher. The contents fetched from those repositories are
+// expected to be helm charts.
+var _ = Describe("Testing CA bundles and insecureSkipVerify for cloning git repositories", Label("infra-setup"), func() {
 	const (
 		sleeper    = "sleeper"
 		entrypoint = "entrypoint"
@@ -167,7 +164,7 @@ var _ = Describe("Testing go-getter CA bundles and insecureSkipVerify for clonin
 		tmpAssetDir := path.Join(tmpDir, "entryPoint")
 		err = os.Mkdir(tmpAssetDir, 0755)
 		Expect(err).ToNot(HaveOccurred())
-		url := "git::" + gh.GetInClusterURL(host, HTTPSPort, "repo?ref="+sleeper)
+		url := "git::" + gh.GetInClusterURL(host, HTTPSPort, "repo//"+sleeper)
 		err = os.WriteFile(
 			path.Join(tmpAssetDir, "fleet.yaml"),
 			fmt.Appendf([]byte{}, "helm:\n  chart: %s\n", url),
@@ -185,7 +182,7 @@ var _ = Describe("Testing go-getter CA bundles and insecureSkipVerify for clonin
 		_, _ = k.Delete("ns", targetNamespace)
 	})
 
-	When("testing custom CA bundles for cloning git with HTTPS using go-getter (fleet.yaml)", func() {
+	When("testing custom CA bundles for cloning git with HTTPS (fleet.yaml)", func() {
 		It("should succeed when not configuring any CA", func() {
 			// Create and apply GitRepo, don't configure CABundle, InsecureSkipTLSVerify,
 			// helmSecretName, or helmSecretNameForPath in GitRepo.spec which makes it fall back to
@@ -267,7 +264,7 @@ var _ = Describe("Testing go-getter CA bundles and insecureSkipVerify for clonin
 		})
 	})
 
-	When("testing ignoring insecure certificates for cloning git repositories with HTTPS using go-getter (fleet.yaml)", func() {
+	When("testing ignoring insecure certificates for cloning git repositories with HTTPS (fleet.yaml)", func() {
 		It("should succeed when using the incorrect CA bundle provided in GitRepo's CABundle field but setting InsecureSkipTLSVerify to true", func() {
 			// But it should fail in gitcloner already, not later in fleet apply.
 			encodedCert := base64.StdEncoding.EncodeToString([]byte("invalid-ca-bundle"))

go.mod

@@ -26,8 +26,8 @@ require (
 	github.com/gogits/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-containerregistry v0.21.2
-	github.com/hashicorp/go-getter/v2 v2.2.3
 	github.com/jpillora/backoff v1.0.0
+	github.com/klauspost/compress v1.18.5
 	github.com/onsi/ginkgo/v2 v2.28.1
 	github.com/onsi/gomega v1.39.0
 	github.com/opencontainers/go-digest v1.0.0
@@ -82,7 +82,6 @@ require (
 	github.com/ProtonMail/go-crypto v1.3.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.3 // indirect
@@ -135,19 +134,13 @@ require (
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-safetemp v1.0.0 // indirect
-	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.4 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
@@ -157,7 +150,6 @@ require (
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
@@ -183,7 +175,6 @@ require (
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect
 	github.com/tetratelabs/wazero v1.11.0 // indirect
-	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/vbatts/tar-split v0.12.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect

go.sum

@@ -37,8 +37,6 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
-github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bradleyfalzon/ghinstallation/v2 v2.16.0 h1:B91r9bHtXp/+XRgS5aZm6ZzTdz3ahgJYmkt4xZkgDz8=
@@ -237,19 +235,6 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJr
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 h1:X+2YciYSxvMQK0UZ7sg45ZVabVZBeBuvMkmuI2V3Fak=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7/go.mod h1:lW34nIZuQ8UDPdkon5fmfp2l3+ZkQ2me/+oecHYLOII=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
-github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-getter/v2 v2.2.3 h1:6CVzhT0KJQHqd9b0pK3xSP0CM/Cv+bVhk+jcaRJ2pGk=
-github.com/hashicorp/go-getter/v2 v2.2.3/go.mod h1:hp5Yy0GMQvwWVUmwLs3ygivz1JSLI323hdIE9J9m7TY=
-github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
-github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo=
-github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I=
-github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
-github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
 github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
@@ -272,8 +257,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -311,8 +296,6 @@ github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa1
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
-github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -438,8 +421,6 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
-github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
 github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=

integrationtests/bundlereader/getcontent_test.go

@@ -92,6 +92,18 @@ var _ = Describe("GetContent fetches files from a git repository", Label("networ
 			})
 		})
 
+		When("a CA bundle is provided", func() {
+			It("returns the repository files", func() {
+				source := fmt.Sprintf("git::%s/%s/%s", httpsBase, utils.GogsUser, repoName)
+				files, err := bundlereader.GetContent(
+					context.Background(), GinkgoT().TempDir(), source, "",
+					bundlereader.Auth{CABundle: gogsCABundle}, false, nil,
+				)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(files).To(HaveKey("README.md"))
+			})
+		})
+
 		When("no TLS configuration is provided", func() {
 			It("fails with a certificate error", func() {
 				source := fmt.Sprintf("git::%s/%s/%s", httpsBase, utils.GogsUser, repoName)
@@ -236,6 +248,47 @@ var _ = Describe("GetContent fetches files from a git repository", Label("networ
 			Expect(err).NotTo(HaveOccurred())
 			Expect(files).To(HaveKey("README.md"))
 		})
+
+		It("returns the repository files when a correct known host entry is provided", func() {
+			privateKey, err := os.ReadFile(tmpKeyFile)
+			Expect(err).NotTo(HaveOccurred())
+
+			knownHost, err := utils.GetGogsKnownHostEntry(context.Background(), container)
+			Expect(err).NotTo(HaveOccurred())
+
+			source := fmt.Sprintf("%s/%s/%s", sshBase, utils.GogsUser, repoName)
+			Eventually(func() error {
+				_, err = bundlereader.GetContent(
+					context.Background(), GinkgoT().TempDir(), source, "",
+					bundlereader.Auth{SSHPrivateKey: privateKey, SSHKnownHosts: []byte(knownHost)}, false, nil,
+				)
+				return err
+			}, timeout, interval).Should(Succeed())
+
+			files, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(), source, "",
+				bundlereader.Auth{SSHPrivateKey: privateKey, SSHKnownHosts: []byte(knownHost)}, false, nil,
+			)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(files).To(HaveKey("README.md"))
+		})
+
+		It("fails when a wrong known host entry is provided", func() {
+			privateKey, err := os.ReadFile(tmpKeyFile)
+			Expect(err).NotTo(HaveOccurred())
+
+			// A valid-looking but wrong known_hosts entry: the key is for github.com, not our gogs server.
+			wrongKnownHost := "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
+
+			source := fmt.Sprintf("%s/%s/%s", sshBase, utils.GogsUser, repoName)
+			Eventually(func() error {
+				_, err = bundlereader.GetContent(
+					context.Background(), GinkgoT().TempDir(), source, "",
+					bundlereader.Auth{SSHPrivateKey: privateKey, SSHKnownHosts: []byte(wrongKnownHost)}, false, nil,
+				)
+				return err
+			}, timeout, interval).Should(HaveOccurred())
+		})
 	})
 })
 

integrationtests/bundlereader/httpcontent_test.go

@@ -0,0 +1,146 @@
+package bundlereader_test
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/rancher/fleet/internal/bundlereader"
+)
+
+// newTarGz builds a tar.gz archive in memory containing the given files
+// (map of relative name → content) and returns the bytes.
+func newTarGz(files map[string][]byte) []byte {
+	var buf bytes.Buffer
+	gw := gzip.NewWriter(&buf)
+	tw := tar.NewWriter(gw)
+	for name, data := range files {
+		_ = tw.WriteHeader(&tar.Header{
+			Typeflag: tar.TypeReg,
+			Name:     name,
+			Size:     int64(len(data)),
+			Mode:     0600,
+		})
+		_, _ = tw.Write(data)
+	}
+	_ = tw.Close()
+	_ = gw.Close()
+	return buf.Bytes()
+}
+
+var _ = Describe("GetContent fetches HTTP sources", func() {
+	var (
+		srv *httptest.Server
+		archiveBytes []byte
+	)
+
+	BeforeEach(func() {
+		archiveBytes = newTarGz(map[string][]byte{
+			"README.md":        []byte("hello"),
+			"subdir/config.yaml": []byte("key: value"),
+		})
+	})
+
+	AfterEach(func() {
+		if srv != nil {
+			srv.Close()
+			srv = nil
+		}
+	})
+
+	When("the URL points to a tar.gz archive", func() {
+		It("extracts the archive and returns the files", func() {
+			srv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				_, _ = w.Write(archiveBytes)
+			}))
+
+			files, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(), srv.URL+"/bundle.tar.gz", "",
+				bundlereader.Auth{}, false, nil,
+			)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(files).To(HaveKey("README.md"))
+			Expect(files).To(HaveKey(filepath.Join("subdir", "config.yaml")))
+		})
+	})
+
+	When("the URL has no recognisable extension but ?archive= is provided", func() {
+		It("extracts using the override extension", func() {
+			srv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				// The server must NOT receive the ?archive= parameter.
+				Expect(r.URL.Query().Get("archive")).To(BeEmpty())
+				_, _ = w.Write(archiveBytes)
+			}))
+
+			files, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(), srv.URL+"/download?archive=tar.gz", "",
+				bundlereader.Auth{}, false, nil,
+			)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(files).To(HaveKey("README.md"))
+		})
+	})
+
+	When("a correct ?checksum= is provided", func() {
+		It("succeeds when the hash matches", func() {
+			h := sha256.New()
+			h.Write(archiveBytes)
+			hexHash := hex.EncodeToString(h.Sum(nil))
+
+			srv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				// The server must NOT receive the ?checksum= parameter.
+				Expect(r.URL.Query().Get("checksum")).To(BeEmpty())
+				_, _ = w.Write(archiveBytes)
+			}))
+
+			_, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(),
+				srv.URL+"/bundle.tar.gz?checksum=sha256:"+hexHash, "",
+				bundlereader.Auth{}, false, nil,
+			)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("fails when the hash does not match", func() {
+			wrongHash := "0000000000000000000000000000000000000000000000000000000000000000"
+
+			srv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				_, _ = w.Write(archiveBytes)
+			}))
+
+			_, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(),
+				srv.URL+"/bundle.tar.gz?checksum=sha256:"+wrongHash, "",
+				bundlereader.Auth{}, false, nil,
+			)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("checksum mismatch"))
+		})
+	})
+
+	When("the URL points to a plain file", func() {
+		It("writes the file under its URL base name", func() {
+			content := []byte("plain content")
+			srv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				_, _ = w.Write(content)
+			}))
+
+			files, err := bundlereader.GetContent(
+				context.Background(), GinkgoT().TempDir(), srv.URL+"/data.txt", "",
+				bundlereader.Auth{}, false, nil,
+			)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(files).To(HaveKey("data.txt"))
+			Expect(files["data.txt"]).To(Equal(content))
+		})
+	})
+})