diff --git a/auplc-installer b/auplc-installer
index 2df860e..0c38e36 100755
--- a/auplc-installer
+++ b/auplc-installer
@@ -29,7 +29,11 @@ set -euo pipefail
 # Pinned tool versions (used by pack and offline install)
 K3S_VERSION="v1.32.3+k3s1"
 HELM_VERSION="v3.17.2"
+HELM_LINUX_AMD64_SHA256="90c28792a1eb5fb0b50028e39ebf826531ebfcf73f599050dbd79bab2f277241"
 K9S_VERSION="v0.32.7"
+K9S_LINUX_AMD64_DEB_SHA256="3f12b34557d9ed9eada465b6fad57dbe9367786f68cfd4604a6771a9f08446b8"
+ROCM_DEVICE_PLUGIN_COMMIT="dea1db13f05159e64d8114bca4c31f48c3cfcac6"
+ROCM_DEVICE_PLUGIN_SHA256="b751e467feecf6118bed1de8ba80b9abff01c1f52a6b0b8f31aca3609e6e9dbd"
 
 K3S_IMAGES_DIR="/var/lib/rancher/k3s/agent/images"
 K3S_REGISTRIES_FILE="/etc/rancher/k3s/registries.yaml"
@@ -266,6 +270,19 @@ function generate_values_overlay() {
 # Tool Installation (Helm, K9s)
 # ============================================================
 
+function verify_sha256() {
+    local file="$1"
+    local expected="$2"
+    local actual
+    actual=$(sha256sum "$file" | awk '{print $1}')
+    if [[ "$actual" != "$expected" ]]; then
+        echo "Checksum mismatch for $file" >&2
+        echo "Expected: $expected" >&2
+        echo "Actual:   $actual" >&2
+        exit 1
+    fi
+}
+
 function install_tools() {
     echo "Checking/Installing tools (may require sudo)..."
 
@@ -285,6 +302,7 @@ function install_tools() {
     if ! command -v helm &> /dev/null; then
         echo "Installing Helm..."
         wget https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz -O /tmp/helm-linux-amd64.tar.gz
+        verify_sha256 /tmp/helm-linux-amd64.tar.gz "$HELM_LINUX_AMD64_SHA256"
         tar -zxvf /tmp/helm-linux-amd64.tar.gz -C /tmp
         sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
         rm /tmp/helm-linux-amd64.tar.gz
@@ -294,6 +312,7 @@ function install_tools() {
     if ! command -v k9s &> /dev/null; then
         echo "Installing K9s..."
         wget "https://github.com/derailed/k9s/releases/download/${K9S_VERSION}/k9s_linux_amd64.deb" -O /tmp/k9s_linux_amd64.deb
+        verify_sha256 /tmp/k9s_linux_amd64.deb "$K9S_LINUX_AMD64_DEB_SHA256"
         sudo apt install /tmp/k9s_linux_amd64.deb -y
         rm /tmp/k9s_linux_amd64.deb
     fi
@@ -398,8 +417,12 @@ function install_k3s_single_node() {
 
         configure_registry_mirrors
 
-        curl -sfL https://get.k3s.io | sudo K3S_KUBECONFIG_MODE="644" \
-            INSTALL_K3S_EXEC="${k3s_exec}" sh -
+        wget https://get.k3s.io -O /tmp/get-k3s.sh
+        sudo INSTALL_K3S_VERSION="${K3S_VERSION}" \
+            K3S_KUBECONFIG_MODE="644" \
+            INSTALL_K3S_EXEC="${k3s_exec}" \
+            sh /tmp/get-k3s.sh
+        rm -f /tmp/get-k3s.sh
     fi
 
     echo "Configuring kubeconfig for user: $(whoami)"
@@ -523,7 +546,10 @@ function deploy_rocm_gpu_device_plugin() {
         kubectl patch ds amdgpu-device-plugin-daemonset -n kube-system --type=json \
             -p '[{"op":"replace","path":"/spec/template/spec/containers/0/imagePullPolicy","value":"IfNotPresent"}]'
     else
-        kubectl create -f https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/k8s-ds-amdgpu-dp.yaml
+        wget "https://raw.githubusercontent.com/ROCm/k8s-device-plugin/${ROCM_DEVICE_PLUGIN_COMMIT}/k8s-ds-amdgpu-dp.yaml" -O /tmp/k8s-ds-amdgpu-dp.yaml
+        verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml "$ROCM_DEVICE_PLUGIN_SHA256"
+        kubectl create -f /tmp/k8s-ds-amdgpu-dp.yaml
+        rm -f /tmp/k8s-ds-amdgpu-dp.yaml
     fi
 
     if ! kubectl wait --for=jsonpath='{.status.numberReady}'=1 --namespace=kube-system ds/amdgpu-device-plugin-daemonset --timeout=300s | grep "condition met"; then
diff --git a/scripts/test/test_auplc_installer.sh b/scripts/test/test_auplc_installer.sh
new file mode 100644
index 0000000..1a56f6f
--- /dev/null
+++ b/scripts/test/test_auplc_installer.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+INSTALLER="$ROOT/auplc-installer"
+
+grep -q 'verify_sha256()' "$INSTALLER"
+grep -q 'HELM_LINUX_AMD64_SHA256=' "$INSTALLER"
+grep -q 'K9S_LINUX_AMD64_DEB_SHA256=' "$INSTALLER"
+grep -q 'ROCM_DEVICE_PLUGIN_SHA256=' "$INSTALLER"
+grep -q 'ROCM_DEVICE_PLUGIN_COMMIT=' "$INSTALLER"
+grep -Fq "INSTALL_K3S_VERSION=\"\${K3S_VERSION}\"" "$INSTALLER"
+
+if grep -q 'ROCM_DEVICE_PLUGIN_COMMIT="master"' "$INSTALLER"; then
+    echo 'FAIL: ROCm device plugin still tracks master instead of a pinned commit'
+    exit 1
+fi
+
+if grep -q 'curl -sfL https://get.k3s.io |' "$INSTALLER"; then
+    echo 'FAIL: k3s still uses pipe-to-shell'
+    exit 1
+fi
+
+if grep -q 'kubectl create -f https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/k8s-ds-amdgpu-dp.yaml' "$INSTALLER"; then
+    echo 'FAIL: ROCm plugin still applies remote URL directly'
+    exit 1
+fi
+
+grep -q 'verify_sha256 /tmp/helm-linux-amd64.tar.gz' "$INSTALLER"
+grep -q 'verify_sha256 /tmp/k9s_linux_amd64.deb' "$INSTALLER"
+grep -q 'verify_sha256 /tmp/k8s-ds-amdgpu-dp.yaml' "$INSTALLER"
+
+echo 'Installer integrity checks present.'