Improve security of downloading a binary by checking the fingerprint

[arthurzenika]

Is your feature request related to a problem? Please describe

I'm not sure if this is already done or if it's the plugin's responsibility, but it would be nice to have some sort of check that the binary being download is the one published by the upstream organisation that compiles it.

If we take the example of kubectl the documentation https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ encourages to "Validate the binary"

echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

This doesn't seem to be checked by asdf

Describe the proposed solution

Add the sha256 or other metadata that enables adsf or it's plugins to validate the binary download

Describe similar asdf features and why they are not sufficient

Haven't found any mention of fingerprints in the documentation.

Quick read of https://github.com/asdf-community/asdf-kubectl/blob/master/bin/install seems to show this is not done.

Describe other workarounds you've considered

Having some sort of post hook or other script that checks the fingerprints ?