diff --git a/Makefile b/Makefile
index 11671240..ffcc8e42 100644
--- a/Makefile
+++ b/Makefile
@@ -49,8 +49,12 @@ noop: # do nothing
 # and Intel).
 HOST_OS ?= $(shell uname -s | tr A-Z a-z)
 HOST_ARCH ?= $(shell uname -m)
+
 ifeq (x86_64, $(HOST_ARCH))
 	HOST_ARCH = amd64
+else ifeq (aarch64, $(HOST_ARCH))
+	# linux reports the arm64 arch as aarch64
+	HOST_ARCH = arm64
 endif
 
 ##################################
diff --git a/klone.yaml b/klone.yaml
index d03a5fae..4bab8477 100644
--- a/klone.yaml
+++ b/klone.yaml
@@ -10,55 +10,55 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/generate-verify
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/klone
     - folder_name: oci-image
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/oci-image
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 64c3f1e25d0cfeca613256d58373aaa4aa45334f
+      repo_hash: 06bb8b339f2033e196cba881bc0fb724e1315cc5
       repo_path: modules/tools
diff --git a/make/_shared/helm/helm.mk b/make/_shared/helm/helm.mk
index 3fbf974d..ddfb848f 100644
--- a/make/_shared/helm/helm.mk
+++ b/make/_shared/helm/helm.mk
@@ -68,11 +68,24 @@ $(helm_chart_archive): $(helm_chart_sources) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_d
 ## @category [shared] Helm Chart
 helm-chart: $(helm_chart_archive)
 
+ifdef helm_docs_use_helm_tool
+
+helm_tool_header_search ?= ^<!-- AUTO-GENERATED -->
+helm_tool_footer_search ?= ^<!-- /AUTO-GENERATED -->
+
+.PHONY: generate-helm-docs
+## Generate Helm chart documentation.
+## @category [shared] Generate/ Verify
+generate-helm-docs: | $(NEEDS_HELM-TOOL)
+	$(HELM-TOOL) inject -i $(helm_chart_source_dir)/values.yaml -o $(helm_chart_source_dir)/README.md --header-search "$(helm_tool_header_search)" --footer-search "$(helm_tool_footer_search)"
+else
 .PHONY: generate-helm-docs
 ## Generate Helm chart documentation.
 ## @category [shared] Generate/ Verify
 generate-helm-docs: | $(NEEDS_HELM-DOCS)
 	$(HELM-DOCS) $(helm_chart_source_dir)/
+endif
+
 
 shared_generate_targets += generate-helm-docs
 
diff --git a/make/_shared/oci-image/01_mod.mk b/make/_shared/oci-image/01_mod.mk
index 52b2fa9e..f6c04c52 100644
--- a/make/_shared/oci-image/01_mod.mk
+++ b/make/_shared/oci-image/01_mod.mk
@@ -54,10 +54,11 @@ $(foreach build_name,$(build_names),$(eval $(call check_variables,$(build_name))
 
 ##########################################
 
+RELEASE_DRYRUN ?= false
+
 CGO_ENABLED ?= 0
+GOEXPERIMENT ?=  # empty by default
 
-build_targets := $(build_names:%=$(bin_dir)/bin/%)
-run_targets := $(build_names:%=run-%)
 oci_build_targets := $(build_names:%=oci-build-%)
 oci_push_targets := $(build_names:%=oci-push-%)
 oci_maybe_push_targets := $(build_names:%=oci-maybe-push-%)
@@ -65,30 +66,8 @@ oci_load_targets := $(build_names:%=oci-load-%)
 
 image_tool_dir := $(dir $(lastword $(MAKEFILE_LIST)))/image_tool/
 
-$(bin_dir)/bin:
-	mkdir -p $@
-
-## Build manager binary.
-## @category [shared] Build
-$(build_targets): $(bin_dir)/bin/%: FORCE | $(NEEDS_GO) $(bin_dir)/bin
-	CGO_ENABLED=$(CGO_ENABLED) \
-	$(GO) build \
-		-ldflags '$(go_$*_ldflags)' \
-		-o $@ \
-		$(go_$*_source_path)
-
-.PHONY: $(run_targets)
-ARGS ?= # default empty
-## Run a controller from your host.
-## @category [shared] Build
-$(run_targets): run-%: | $(NEEDS_GO)
-	CGO_ENABLED=$(CGO_ENABLED) \
-	$(GO) run \
-		-ldflags '$(go_$*_ldflags)' \
-		$(go_$*_source_path) $(ARGS)
-
 .PHONY: $(oci_build_targets)
-## Build the oci image.
+## Build the OCI image.
 ## @category [shared] Build
 $(oci_build_targets): oci-build-%: | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(bin_dir)/scratch/image
 	$(eval oci_layout_path := $(bin_dir)/scratch/image/oci-layout-$*.$(oci_$*_image_tag))
@@ -99,31 +78,34 @@ $(oci_build_targets): oci-build-%: | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS_YQ) $(bin_d
 		$(YQ) '.builds[0].id = "$*"' | \
 		$(YQ) '.builds[0].main = "$(go_$*_source_path)"' | \
 		$(YQ) '.builds[0].env[0] = "CGO_ENABLED={{.Env.CGO_ENABLED}}"' | \
+		$(YQ) '.builds[0].env[1] = "GOEXPERIMENT={{.Env.GOEXPERIMENT}}"' | \
 		$(YQ) '.builds[0].ldflags[0] = "-s"' | \
 		$(YQ) '.builds[0].ldflags[1] = "-w"' | \
 		$(YQ) '.builds[0].ldflags[2] = "{{.Env.LDFLAGS}}"' \
 		> $(CURDIR)/$(oci_layout_path).ko_config.yaml
 
+	KO_DOCKER_REPO=$(oci_$*_image_name_development) \
 	KOCACHE=$(bin_dir)/scratch/image/ko_cache \
 	KO_CONFIG_PATH=$(CURDIR)/$(oci_layout_path).ko_config.yaml \
 	SOURCE_DATE_EPOCH=$(GITEPOCH) \
 	KO_GO_PATH=$(GO) \
 	LDFLAGS="$(go_$*_ldflags)" \
 	CGO_ENABLED=$(CGO_ENABLED) \
+	GOEXPERIMENT=$(GOEXPERIMENT) \
 	$(KO) build $(go_$*_source_path) \
 		--platform=$(oci_platforms) \
-		--oci-layout-path=$(CURDIR)/$(oci_layout_path) \
+		--oci-layout-path=$(oci_layout_path) \
 		--sbom-dir=$(CURDIR)/$(oci_layout_path).sbom \
 		--sbom=spdx \
 		--push=false \
-		--base-import-paths
+		--bare
 
 	cd $(image_tool_dir) && $(GO) run . list-digests \
 		$(CURDIR)/$(oci_layout_path) \
 		> $(CURDIR)/$(oci_layout_path).digests
 
 .PHONY: $(oci_push_targets)
-## Push docker image.
+## Build and push OCI image.
 ## If the tag already exists, this target will overwrite it.
 ## If an identical image was already built before, we will add a new tag to it, but we will not sign it again.
 ## Expected pushed images:
@@ -134,6 +116,7 @@ $(oci_push_targets): oci-push-%: oci-build-% | $(NEEDS_CRANE) $(NEEDS_COSIGN) $(
 	$(eval oci_layout_path := $(bin_dir)/scratch/image/oci-layout-$*.$(oci_$*_image_tag))
 	$(eval image_ref := $(shell head -1 $(CURDIR)/$(oci_layout_path).digests))
 
+ifneq ($(RELEASE_DRYRUN),true)
 	if $(CRANE) image digest $(oci_$*_image_name)@$(image_ref) >/dev/null 2>&1; then \
 		echo "Digest already exists, will retag without resigning."; \
 		$(CRANE) push "$(oci_layout_path)" "$(oci_$*_image_name):$(oci_$*_image_tag)"; \
@@ -142,12 +125,10 @@ $(oci_push_targets): oci-push-%: oci-build-% | $(NEEDS_CRANE) $(NEEDS_COSIGN) $(
 		$(CRANE) push "$(oci_layout_path)" "$(oci_$*_image_name):$(oci_$*_image_tag)"; \
 		$(COSIGN) sign --yes=true "$(oci_$*_image_name)@$(image_ref)"; \
 	fi
+endif
 
 .PHONY: $(oci_maybe_push_targets)
-## Push docker image if tag does not already exist.
-## Expected pushed images:
-## - :v1.2.3, @sha256:0000001
-## - :v1.2.3.sig, :sha256-0000001.sig
+## Run 'make oci-push-...' if tag does not already exist in registry.
 ## @category [shared] Build
 $(oci_maybe_push_targets): oci-maybe-push-%: | $(NEEDS_CRANE)
 	if $(CRANE) manifest digest $(oci_$*_image_name):$(oci_$*_image_tag) > /dev/null 2>&1; then \
@@ -158,7 +139,8 @@ $(oci_maybe_push_targets): oci-maybe-push-%: | $(NEEDS_CRANE)
 	fi
 
 .PHONY: $(oci_load_targets)
-## Load docker image.
+## Build OCI image for the local architecture and load
+## it into the $(kind_cluster_name) kind cluster.
 ## @category [shared] Build
 $(oci_load_targets): oci_platforms := ""
 $(oci_load_targets): oci-load-%: oci-build-% | kind-cluster $(NEEDS_KIND)
diff --git a/make/_shared/repository-base/base/Makefile b/make/_shared/repository-base/base/Makefile
index 11671240..ffcc8e42 100644
--- a/make/_shared/repository-base/base/Makefile
+++ b/make/_shared/repository-base/base/Makefile
@@ -49,8 +49,12 @@ noop: # do nothing
 # and Intel).
 HOST_OS ?= $(shell uname -s | tr A-Z a-z)
 HOST_ARCH ?= $(shell uname -m)
+
 ifeq (x86_64, $(HOST_ARCH))
 	HOST_ARCH = amd64
+else ifeq (aarch64, $(HOST_ARCH))
+	# linux reports the arm64 arch as aarch64
+	HOST_ARCH = arm64
 endif
 
 ##################################
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
index d36ba0a0..8fd663bc 100644
--- a/make/_shared/tools/00_mod.mk
+++ b/make/_shared/tools/00_mod.mk
@@ -94,6 +94,8 @@ TOOLS += klone=v0.0.3
 TOOLS += goreleaser=v1.23.0
 # https://pkg.go.dev/github.com/anchore/syft/cmd/syft?tab=versions
 TOOLS += syft=v0.100.0
+# https://github.com/cert-manager/helm-tool
+TOOLS += helm-tool=v0.2.2
 
 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions
 K8S_CODEGEN_VERSION=v0.29.0
@@ -276,6 +278,7 @@ GO_DEPENDENCIES += applyconfiguration-gen=k8s.io/code-generator/cmd/applyconfigu
 GO_DEPENDENCIES += openapi-gen=k8s.io/code-generator/cmd/openapi-gen
 GO_DEPENDENCIES += defaulter-gen=k8s.io/code-generator/cmd/defaulter-gen
 GO_DEPENDENCIES += conversion-gen=k8s.io/code-generator/cmd/conversion-gen
+GO_DEPENDENCIES += helm-tool=github.com/cert-manager/helm-tool
 
 define go_dependency
 $$(bin_dir)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(bin_dir)/downloaded/tools
@@ -290,6 +293,7 @@ $(foreach GO_DEPENDENCY,$(GO_DEPENDENCIES),$(eval $(call go_dependency,$(word 1,
 ########
 
 HELM_linux_amd64_SHA256SUM=bbb6e7c6201458b235f335280f35493950dcd856825ddcfd1d3b40ae757d5c7d
+HELM_linux_arm64_SHA256SUM=44aaa094ae24d01e8c36e327e1837fd3377a0f9152626da088384c5bc6d94562
 HELM_darwin_amd64_SHA256SUM=da654c9e0fd4fcb50cc5dba051c1c9cf398e21ffa5064b47ac89a9697e139d39
 HELM_darwin_arm64_SHA256SUM=61ba210cd65c53be5c0021c8fc8e0b94f4c122aff32f5ed0e4ea81728108ea20
 
@@ -306,6 +310,7 @@ $(bin_dir)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(bin_dir)/downloaded/tool
 ###########
 
 KUBECTL_linux_amd64_SHA256SUM=0e03ab096163f61ab610b33f37f55709d3af8e16e4dcc1eb682882ef80f96fd5
+KUBECTL_linux_arm64_SHA256SUM=8f7a4bd6bae900a4ddab12bd1399aa652c0d59ea508f39b910e111d248893ff7
 KUBECTL_darwin_amd64_SHA256SUM=d69c2b0929070e42518b304758fbe05cf76c4fb60d36e93bb667d7b76e582124
 KUBECTL_darwin_arm64_SHA256SUM=403beb5d64d8a8517f808a320619a28adc89003b1b710f02421933a9ee4eb968
 
@@ -319,6 +324,7 @@ $(bin_dir)/downloaded/tools/kubectl@$(KUBECTL_VERSION)_%: | $(bin_dir)/downloade
 ########
 
 KIND_linux_amd64_SHA256SUM=513a7213d6d3332dd9ef27c24dab35e5ef10a04fa27274fe1c14d8a246493ded
+KIND_linux_arm64_SHA256SUM=639f7808443559aa30c3642d9913b1615d611a071e34f122340afeda97b8f422
 KIND_darwin_amd64_SHA256SUM=bffd8fb2006dc89fa0d1dde5ba6bf48caacb707e4df8551528f49145ebfeb7ad
 KIND_darwin_arm64_SHA256SUM=8df041a5cae55471f3b039c3c9942226eb909821af63b5677fc80904caffaabf
 
@@ -332,6 +338,7 @@ $(bin_dir)/downloaded/tools/kind@$(KIND_VERSION)_%: | $(bin_dir)/downloaded/tool
 #########
 
 VAULT_linux_amd64_SHA256SUM=f42f550713e87cceef2f29a4e2b754491697475e3d26c0c5616314e40edd8e1b
+VAULT_linux_arm64_SHA256SUM=79aee168078eb8c0dbb31c283e1136a7575f59fe36fccbb1f1ef6a16e0b67fdb
 VAULT_darwin_amd64_SHA256SUM=a9d7c6e76d7d5c9be546e9a74860b98db6486fc0df095d8b00bc7f63fb1f6c1c
 VAULT_darwin_arm64_SHA256SUM=4bf594a231bef07fbcfbf7329c8004acb8d219ce6a7aff186e0bac7027a0ab25
 
@@ -347,6 +354,7 @@ $(bin_dir)/downloaded/tools/vault@$(VAULT_VERSION)_%: | $(bin_dir)/downloaded/to
 ########
 
 AZWI_linux_amd64_SHA256SUM=d2ef0f27609b7157595fe62b13c03381a481f833c1e1b6290df560454890d337
+AZWI_linux_arm64_SHA256SUM=72e34bc96611080095e90ecce58a72e50debf846106b13976f2972bf06ae12df
 AZWI_darwin_amd64_SHA256SUM=2be5f18c0acfb213a22db5a149dd89c7d494690988cb8e8a785dd6915f7094d0
 AZWI_darwin_arm64_SHA256SUM=d0b01768102dd472c72c98bb51ae990af8779e811c9f7ab1db48ccefc9988f4c
 
@@ -363,6 +371,7 @@ $(bin_dir)/downloaded/tools/azwi@$(AZWI_VERSION)_%: | $(bin_dir)/downloaded/tool
 ############################
 
 KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=878fded1b42261293419621b78c9deac319531a325ea57ef62d9060b444fe356
+KUBEBUILDER_TOOLS_linux_arm64_SHA256SUM=7e441e7cbbd53ba1585a27fded9f4a41d2f354ec86c09ac7de9caf666128461a
 KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=f0ce69984cb1e51b68b34408fa79649368c85fe8db9caedc61d02bffc978fced
 KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=98092c9edbfab1312d1418244f1f3f2d21509328e5ca8a84e0a6050e7aae69ea
 
@@ -384,6 +393,7 @@ $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HO
 ###########
 
 KYVERNO_linux_amd64_SHA256SUM=c19d8da3107e75842779b73258f102da95467c3678f3f78b0f85a73fafb9e57d
+KYVERNO_linux_arm64_SHA256SUM=e0de7acb2a85b79c11208141987583bd06dbd95d1c3126d0e4b34fdb9e8abcf4
 KYVERNO_darwin_amd64_SHA256SUM=dee9270d7bbbeac27e737255fe6548ffb81cefc7e4b957fce810d57321a56d29
 KYVERNO_darwin_arm64_SHA256SUM=e08e16adfe373140a2cef9266f9abed5d114738b8ad94e06310dfc4979875369
 
@@ -400,6 +410,7 @@ $(bin_dir)/downloaded/tools/kyverno@$(KYVERNO_VERSION)_%: | $(bin_dir)/downloade
 ######
 
 YQ_linux_amd64_SHA256SUM=0d6aaf1cf44a8d18fbc7ed0ef14f735a8df8d2e314c4cc0f0242d35c0a440c95
+YQ_linux_arm64_SHA256SUM=9431f0fa39a0af03a152d7fe19a86e42e9ff28d503ed4a70598f9261ec944a97
 YQ_darwin_amd64_SHA256SUM=7f88b959c3fd2755e77dbf5bd92780dc3626c1c00ac45d5b5134f04189a142dc
 YQ_darwin_arm64_SHA256SUM=1ef0022ed6d0769d19e2d391dd731162034b0e0ba2c9b53dda039d16cec1c26a
 
@@ -413,6 +424,7 @@ $(bin_dir)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(bin_dir)/downloaded/tools
 ######
 
 KO_linux_amd64_SHA256SUM=5b06079590371954cceadf0ddcfa8471afb039c29a2e971043915957366a2f39
+KO_linux_arm64_SHA256SUM=fcbb736f7440d686ca1cf8b4c3f6b9b80948eb17d6cef7c14242eddd275cab42
 KO_darwin_amd64_SHA256SUM=4f388a4b08bde612a20d799045a57a9b8847483baf1a1590d3c32735e7c30c16
 KO_darwin_arm64_SHA256SUM=45f2c1a50fdadb7ef38abbb479897d735c95238ec25c4f505177d77d60ed91d6
 
@@ -428,6 +440,7 @@ $(bin_dir)/downloaded/tools/ko@$(KO_VERSION)_%: | $(bin_dir)/downloaded/tools
 ##########
 
 PROTOC_linux_amd64_SHA256SUM=ed8fca87a11c888fed329d6a59c34c7d436165f662a2c875246ddb1ac2b6dd50
+PROTOC_linux_arm64_SHA256SUM=99975a8c11b83cd65c3e1151ae1714bf959abc0521acb659bf720524276ab0c8
 PROTOC_darwin_amd64_SHA256SUM=72c6d6b2bc855ff8688c3b7fb31288ccafd0ab55256ff8382d5711ecfcc11f4f
 PROTOC_darwin_arm64_SHA256SUM=320308ce18c359564948754f51748de41cf02a4e7edf0cf47a805b9d38610f16
 
@@ -478,6 +491,7 @@ tools-learn-sha: | $(bin_dir)
 	echo -n "" > "$(LEARN_FILE)"
 
 	HOST_OS=linux HOST_ARCH=amd64 $(MAKE) tools
+	HOST_OS=linux HOST_ARCH=arm64 $(MAKE) tools
 	HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) tools
 	HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) tools
 
diff --git a/make/_shared/tools/util/checkhash.sh b/make/_shared/tools/util/checkhash.sh
index 1787cb28..f626f6f9 100755
--- a/make/_shared/tools/util/checkhash.sh
+++ b/make/_shared/tools/util/checkhash.sh
@@ -21,16 +21,36 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 # This script takes the hash of its first argument and verifies it against the
 # hex hash given in its second argument
 
-SHASUM=$("${SCRIPT_DIR}/hash.sh" "$1")
+function usage_and_exit() {
+	echo "usage: $0 <path-to-target> <expected-hash>"
+	echo "or: LEARN_FILE=<path-to-learn-file> $0 <path-to-target> <old-hash>"
+	exit 1
+}
+
+HASH_TARGET=${1:-}
+EXPECTED_HASH=${2:-}
+
+if [[ -z $HASH_TARGET ]]; then
+	usage_and_exit
+fi
+
+if [[ -z $EXPECTED_HASH ]]; then
+	usage_and_exit
+fi
+
+SHASUM=$("${SCRIPT_DIR}/hash.sh" "$HASH_TARGET")
+
+if [[ "$SHASUM" == "$EXPECTED_HASH" ]]; then
+	exit 0
+fi
 
 # When running 'make learn-sha-tools', we don't want this script to fail.
 # Instead we log what sha values are wrong, so the make.mk file can be updated.
-if [ "$SHASUM" != "$2" ] && [ "${LEARN_FILE:-}" != "" ]; then
-	echo "s/$2/$SHASUM/g" >> "${LEARN_FILE:-}"
+
+if [ "${LEARN_FILE:-}" != "" ]; then
+	echo "s/$EXPECTED_HASH/$SHASUM/g" >> "${LEARN_FILE:-}"
 	exit 0
 fi
 
-if [ "$SHASUM" != "$2"  ]; then
-	echo "invalid checksum for \"$1\": wanted \"$2\" but got \"$SHASUM\""
-	exit 1
-fi
+echo "invalid checksum for \"$HASH_TARGET\": wanted \"$EXPECTED_HASH\" but got \"$SHASUM\""
+exit 1