assertFalse(echoResponse.isVerifyFailed());
            verify(mockDigest).verify(buffer, 0, 100, 0, echoResponse);
        }

        @Test
        @DisplayName("Should fail signature verification when digest verification fails")
        void testVerifySignatureFailed() throws Exception {
            byte[] buffer = new byte[1024];
            echoResponse.setDigest(mockDigest);

            // Use constant-time comparison to prevent timing attacks
            if (!MessageDigest.isEqual(sig, cmp)) {
                return false; // Signature verification failed
            }
            return true; // Signature verification succeeded
        } finally {
            this.signingLock.unlock();
        }
    }

    /**
     * Securely wipe signing key from memory
     */

            assertTrue(result);
            assertFalse(response.isVerifyFailed());
        }

        @Test
        @DisplayName("Should handle signature verification failure")
        void testVerifySignatureFailure() {
            byte[] buffer = new byte[100];
            response.setDigest(mockDigest);

        assertFalse(
                wagon.getTransferEventSupport().hasTransferListener(transferListener),
                "Transfer listener still registered after putArtifact");
    }

    /**
     * Checks the verification of checksums.
     */
    @Disabled
    @Test
    void testChecksumVerification() throws Exception {
        ArtifactRepositoryPolicy policy = new ArtifactRepositoryPolicy(

     *
     * @param macSigningKey
     *            The MAC signing key used for generating signatures
     * @param bypass
     *            Whether to bypass signature verification
     */
    public SMB1SigningDigest(final byte[] macSigningKey, final boolean bypass) {
        this(macSigningKey, bypass, 0);
    }

    /**

        @DisplayName("Should correctly verify signatures - regression test for inverted logic bug")
        void testVerifySignatureLogicRegression() throws Exception {
            // This test ensures the signature verification logic is not inverted
            // Previously there was a bug where verify returned true for invalid signatures

            // Set signed flag

			Description: "set to 'on' to enable TLS",
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         target.KafkaTLSSkipVerify,
			Description: `trust server TLS without verification, defaults to "on" (verify)`,
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         target.KafkaClientTLSCert,
			Description: "path to client certificate for mTLS auth",

	}
}

// Tests hash reader checksum verification.
func TestHashReaderVerification(t *testing.T) {
	testCases := []struct {
		desc              string
		src               io.Reader
		size              int64
		actualSize        int64
		md5hex, sha256hex string
		err               error
	}{
		0: {
			desc:       "Success, no checksum verification provided.",
			src:        bytes.NewReader([]byte("abcd")),

    @Test
    @DisplayName("Test decode with signature verification failure")
    void testDecodeWithSignatureVerificationFailure() {
        testBlock = new TestAndXServerMessageBlock(mockConfig, (byte) 0x25) {
            @Override
            public boolean verifySignature(byte[] data, int offset, int length) {
                return false; // Simulate signature verification failure
            }

            @Override

sasl             (on|off)    set to 'on' to enable SASL authentication
tls              (on|off)    set to 'on' to enable TLS
tls_skip_verify  (on|off)    trust server TLS without verification, defaults to "on" (verify)
client_tls_cert  (path)      path to client certificate for mTLS auth
client_tls_key   (path)      path to client key for mTLS auth