Feature: checksum downloaded artifacts

[hgeraldino]

• I have read the CONTRIBUTING guidelines

Feature request
Following up on the discussion we had a week ago on the #slack channel, I'd like to suggest the addition of checksum routine(s) as part of the installation process, so downloaded artifacts can be verified before they're extracted/relocated.

This feature will require changes at least in the underlying mongodb (so we can store the different SHA hashes (SHA1, SHA256, SHA512, etc), sdkman-cli (to execute the actual verification), the vendor APIs (so SHAs are published alongside the rest of the metadata), broker and maybe other components.

In terms of performing the checksum itself, I'd suggest using shasum - the perl utility that is shipped with pretty much all major *nix distributions and macOS. In addition to that, we can have the checksum routine be executed only if this tool is found on the $PATH, logging a WARN message if checksums are available for the candidate but shasum is not found on the system.

I'm happy to contribute to this feature if it's deemed reasonable.

[stewSquared]

I second this. It took me a while to figure out to debug "Download has failed, aborting!" that came from a post installation hook. At the very least, as a stop-gap, it might be worth having the install hooks say "consider deleting ~/.sdkman/tmp*.bin"

edit: I'm not completely sure about my workaround. I later had to empty the candidates cache rm ~/.sdkman/candidates/java*. Not sure what else I might be breaking.