feat!: refuse to download unverified downloads

[aduh95]

For the most common use case where a Corepack user interacts with an already-setup-for-Corepack project, this PR doesn't change anything, the project would have a "packageManager" field that includes a hash to validate the download.

However, for cases when there are no hash defined there or in the CLI command (corepack [email protected] …/corepack up/corepack use [email protected]), we need another way to validate the download. For downloads from the npm registry, we verify using the ECDSA signature provided in the package metadata. For package manager that are not downloaded from the npm registry (i.e. Yarn Berry), the download is only protected by TLS, which is pretty good, but not as good.

This change is going to be disruptive to Yarn Berry users. I think the Yarn team can mitigate by either:

• switch to download newer versions of Yarn from the npm registry (we cannot change earlier versions without invalidating everyone's hash).
• send a change for Corepack to validate the download using the npm integrity when no hash is provided.
• provide signatures for Yarn releases in the Yarn registry.

Fixes: https://github.com/nodejs/corepack/issues/495

[arcanis]

switch to download newer versions of Yarn from the npm registry (we cannot change earlier versions without invalidating everyone's hash).

We're unlikely to do that, as we want our official binaries to be downloaded from our official website.

[mcollina]

@arcanis I'm glad to hear that signatures are planned for yarn. what's your timeline to add said support? September/October?