external_deps: check hash of downloaded files

[slipher]

When downloading a file for the build we should have the expected cryptographic hash (hardcoded) and check that it matches. This goes for the external_deps bundles provided by us as well as the per-dependency source or binary archives used when running external_deps/build.sh. Especially the latter since we can now have various mirrors and want to make sure they are all providing the same thing.

[illwieckz]

Should we hardcorde the checksums in a file in the repository, or can we download a separate checksum file?

Basically: can we trust https or not? or: can we assume all our users assume https is safe on their side?

I guess maximum check would be to hardcode the checksums in a file in the repository, but that would be annoying to do.

[slipher]

For the third-party packages downloaded by the build.sh script, the checksums should definitely be part of the Daemon repository. Otherwise it would be too annoying to update a package as someone would have to change it on the server as well. I was thinking to have the checksum as an extra argument to the download function, so that all the changes are in one place.

For the packages released by us, it would be ideal from a security standpoint to hardcode them, but maybe it's too annoying. Having a checksum list on the server would be OK I guess, although it would only protect against accidentally corrupted files, not maliciously changed ones.