diff --git a/calc_sri_fix.sh b/calc_sri_fix.sh
index cfc47292..0647e073 100644
--- a/calc_sri_fix.sh
+++ b/calc_sri_fix.sh
@@ -4,9 +4,10 @@ set -euo pipefail
 
 # calculate_sri downloads the given URL, computes the SHA-384 SRI hash of its content (base64) and echoes a line "<url> sha384-<base64_hash>".
 calculate_sri() {
-    url="$1"
+    local url="$1"
+    local temp_file
     temp_file=$(mktemp)
-    trap 'rm -f "$temp_file"' RETURN
+    trap "rm -f \"$temp_file\"" RETURN
 
     # curl options: -f (fail on HTTP error), -S (show error), -s (silent equivalent), -L (follow redirects)
     if ! curl -fS -sL "$url" -o "$temp_file"; then
@@ -20,6 +21,7 @@ calculate_sri() {
         return 1
     fi
 
+    local hash
     hash=$(openssl dgst -sha384 -binary < "$temp_file" | openssl base64 -A)
     echo "$url sha384-$hash"
     rm -f "$temp_file"