When building appliances should check download against a checksum or GPG key

[JedMeister]

As suggested by @ashkulz on his recent PR against the limesurvey appliance appliances should check validity of download at build time.

[JedMeister]

Let's start introducing this into v15.0?! Thoughts?

[JedMeister]

Still haven't implemented this so bumping to v17.0.

Part of the issue is that we're often downloading files dynamically (so as to download the latest version) so we'd also need to discover the checksum and/or key to check against. Signed downloads would be easier in general (would only need to be updated when keys rotated) but it still doesn't seem that common...