Harsh-2002 · Harsh-2002 · Jun 14, 2026 · Jun 14, 2026
diff --git a/scripts/CLAUDE.md b/scripts/CLAUDE.md
@@ -15,7 +15,7 @@ Support scripts for deployment and installation. None of these are called by the
 - `entrypoint.sh` **always overwrites** `adapter.js` / `adapter.py` from the image on every container start — this ensures runtime upgrades roll out even when the user mounts a persistent `orva-data` volume.
 - `install.sh` embeds the systemd/OpenRC units and `uninstall.sh`; the bare-metal install writes them to `$PREFIX/share/orva/scripts/` and the generated uninstaller to the same path. Edit the heredocs in `install.sh` — there is no separate unit file.
 - `install.sh --cli-only` installs only the `orva` CLI binary to `/usr/local/bin/orva` — no systemd unit, no rootfs, no service user. Use this on operator laptops or CI runners that talk to a remote Orva over HTTPS.
-- Mode/option precedence is flag > env > interactive prompt > default. Key knobs: `--version`/`ORVA_VERSION` (pin a release), `--dry-run`/`ORVA_INSTALL_DRYRUN=1` (detect only), `--no-pkg`/`ORVA_NO_PKG=1` (skip system packages), `--runtime`/`ORVA_DOCKER_RUNTIME` (force the Docker runtime). There is **no** checksum-bypass env var — `ORVA_SKIP_VERIFY` is referenced in a stale `install.sh` comment but is not implemented.
+- Mode/option precedence is flag > env > interactive prompt > default. Key knobs: `--version`/`ORVA_VERSION` (pin a release), `--dry-run`/`ORVA_INSTALL_DRYRUN=1` (detect only), `--no-pkg`/`ORVA_NO_PKG=1` (skip system packages), `--runtime`/`ORVA_DOCKER_RUNTIME` (force the Docker runtime). There is **no** checksum-bypass env var (no `ORVA_SKIP_VERIFY` or similar).
 - Downloaded assets (orva, nsjail, rootfs, CLI) are SHA-256 verified against `checksums.txt`. A checksum **mismatch** aborts the install. A *missing* checksum entry only warns and proceeds in `install.sh` (`verify()` is fail-open on a missing entry); `install-cli.sh` is stricter and aborts when the entry is missing.
 - `build-rootfs.sh` produces large tarballs (~hundreds of MB); run only when updating the rootfs base image or adding system libraries.
 - Cross-distro installer tests: `test/install/matrix.sh` (fast, unprivileged — shellcheck + POSIX parse + dry-run + real CLI install across 6 distros) and the privileged systemd-in-docker harness under `test/install/`. CI: `.github/workflows/install-e2e.yml`.
diff --git a/scripts/install.sh b/scripts/install.sh
@@ -633,8 +633,9 @@ download_and_install_binaries() {
     log "downloading orva + nsjail (linux-${ARCH})"
     fetch "$base/orva-linux-${ARCH}"   "$tmp/orva"   || die "failed to download orva-linux-${ARCH}"
     fetch "$base/nsjail-linux-${ARCH}" "$tmp/nsjail" || die "failed to download nsjail-linux-${ARCH}"
-    # Leave checksums.txt absent on failure and let verify() enforce policy
-    # (fail-closed unless ORVA_SKIP_VERIFY=1).
+    # Best-effort: if checksums.txt can't be fetched it's left absent, and
+    # verify() then finds no entry and warns+skips per asset (fail-open on a
+    # MISSING checksum). A checksum MISMATCH still aborts via die().
     fetch "$base/checksums.txt"        "$tmp/checksums.txt" || warn "could not download checksums.txt"
     log "verifying checksums"
     verify "$tmp/orva"   "orva-linux-${ARCH}"