check hashes of files we download against expected hash value
Per #8283 (closed), we need to check the hash of each file we download against the expected value. This should ensure that we never build without explicitly approving each new version and a hash for each new version. It will also ensure that when an attacker tampers with the file on the remote server, we will not attempt to build likely hostile source bundles or load hostile extensions.
I think I'll just write a simple macro to check all of the hashes after all the downloads complete. Does that seem like a reasonable approach?