fix(install): make checksum verification mandatory

verify_checksum() previously warned and continued when sha256sum was
unavailable or the checksums file couldn't be downloaded. An attacker
who can manipulate the download could serve a binary without the
checksum file and have it silently installed.

Fail the installation if:
- sha256sum/shasum is not available
- checksums file cannot be downloaded
- filename not found in checksums file

Closes #590

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>

Author: latenighthackathon

install.sh

@@ -183,17 +183,15 @@ verify_checksum() {
   _vc_expected="$(grep "$_vc_filename" "$_vc_checksums" | awk '{print $1}')"
 
   if [ -z "$_vc_expected" ]; then
-    warn "no checksum found for $_vc_filename, skipping verification"
-    return 0
+    error "no checksum found for $_vc_filename in checksums file"
   fi
 
   if has_cmd shasum; then
     echo "$_vc_expected  $_vc_archive" | shasum -a 256 -c --quiet 2>/dev/null
   elif has_cmd sha256sum; then
     echo "$_vc_expected  $_vc_archive" | sha256sum -c --quiet 2>/dev/null
   else
-    warn "sha256sum/shasum not found, skipping checksum verification"
-    return 0
+    error "sha256sum or shasum is required to verify checksums"
   fi
 }
 
@@ -256,12 +254,11 @@ main() {
 
   # Verify checksum
   info "verifying checksum..."
-  if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
-    if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
-      error "checksum verification failed for ${_filename}"
-    fi
-  else
-    warn "could not download checksums file, skipping verification"
+  if ! download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
+    error "could not download checksums file from ${_checksums_url}"
+  fi
+  if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
+    error "checksum verification failed for ${_filename}"
   fi
 
   # Extract