--- a/tools/userland-fetch	Thu May 21 16:49:12 2015 -0700
+++ b/tools/userland-fetch	Thu May 21 23:34:16 2015 -0700
@@ -352,7 +352,8 @@
 				# that the expected hash is just a typo, but we
 				# warn just in case.
 				if sig_valid:
-					print "invalid hash!"
+					print "invalid hash! Did you forget " \
+					    "to update it?"
 				else:
 					print "corruption detected"
 
@@ -360,9 +361,24 @@
 				print "    actual:   %s" % realhash
 				print "    payload:  %s" % payloadhash
 
-				# An invalid hash shouldn't cause us to remove
-				# the target file if the signature was valid.
-				if not sig_valid:
+				# If the hash is invalid, but the signature
+				# validation succeeded, rename the archive (so
+				# the user doesn't have to re-download it) and
+				# fail.  Otherwise, try to remove the file and
+				# try again.
+				if sig_valid:
+					newname = name + ".invalid-hash"
+					try:
+						os.rename(name, newname)
+					except OSError:
+						pass
+					else:
+						print "archive saved as %s; " \
+						    "if it isn't corrupt, " \
+						    "rename to %s" % (newname,
+						    name)
+					sys.exit(1)
+				else:
 					try:
 						os.remove(name)
 					except OSError: