Plugin manager should validate the SHA, where possible

[clintongormley]

The plugin manager should perform SHA sum validation when available. If there is a shasum file in a specific location with a specific naming pattern, we can verify the sum after download.

[spinscale]

Implementation detail: When running mvn install the creation of the checksums results simply in .md5 and .sha1 suffixes appended to the file...

Impl: We simply should GET that URL as well... http://.../analysis-kuromoji.zip.sha1

• If checksum file exists, compare the checksum with the downloaded file. If these differ, exit. If these match, print a message telling that checksums were ok
• If checksum does not exist, behave as usual, but print a warning, that no checksum comparison has happened, but proceed to install the plugin

Not sure if we need command line parameters like --ignore-invalid-checksums or --abort-without-checksums for now.

[dakrone]

@spinscale I'm looking at this, it looks like we don't actually provide sha1 or md5 files for our own plugins? I am just curious if there's an already-available plugin I can use for manual testing of this.

[dakrone]

Also, I guess nevermind on our own plugins, I can run a local server and test it with a URL that way, I was just curious if we already hosted the checksum files.

[spinscale]

no, this is since 2.0...