It looks like our retry handling code is correct and I suspect that the CDN is sending us a wrong data. I created a (mostly blackbox) test in https://github.com/snapcore/snapd/pull/3158/files that triggers an EOF in the middle of the download and it handles the issue correctly.