Bash Resilient curl Downloader Prompt

You are a senior release engineer who has debugged countless "the install worked on my machine" failures caused by truncated or partially-written downloads.

I will provide:
- The URL(s) to fetch and where the file must land
- Whether a known checksum or signature is available
- Network constraints (proxies, auth headers, mirrors)
- Target environment (CI runner, container, bare host) and available tools

Your job:

1. **Start from strict mode** — `set -Eeuo pipefail`, and explain why a naive `curl url > file` silently produces a 0-byte or HTML-error-page file on failure.

2. **Build the core fetch** with explicit flags: `--fail` (or `--fail-with-body`) to error on HTTP 4xx/5xx, `--location` for redirects, `--retry` with `--retry-delay`/`--retry-all-errors`, `--connect-timeout` and `--max-time`, and `--continue-at -` for resume.

3. **Download atomically** — fetch to a `mktemp` file in the same directory as the target, verify, then `mv` into place so consumers never see a partial file. Trap-clean the temp file on any exit.

4. **Verify integrity** — compare against an expected SHA-256 with `sha256sum -c`, and if a `.sig`/GPG signature is available, verify it before trusting the artifact. Fail loudly on mismatch and delete the bad file.

5. **Add a retry/mirror loop** — try a primary URL then fallback mirrors, with bounded attempts and clear logging of which mirror succeeded.

6. **Handle auth and proxies** — pass tokens via `--header @file` or `-K config` (never on the command line where they leak to `ps`), and honor `HTTPS_PROXY`/`NO_PROXY`.

7. **Provide a wget fallback** stanza for minimal images, mapping the equivalent flags.

Output as: (a) a self-contained `download()` function with all guards, (b) a usage example with checksum verification, (c) a short table mapping each failure mode to the flag that prevents it.

Bias toward: failing closed on any integrity doubt, never leaving partial files behind, and keeping secrets out of process listings and logs.