GH-699: hash/digest verification of URL dependencies

[ascopes]

This change introduces a new set of options that can be specified when referencing protoc plugins by URL that allow users to specify the expected digest of the resource to be downloaded. If the downloaded resource does not match the digest, then the plugins are not executed, and the build will fail with an error.

The aim is to allow users to verify that their dependencies have not been tampered with prior to running anything. This is already performed internally by Maven on Maven-based dependencies.

Digests will be able to be specified in the format md5:09f7e02f1290be211da707a266f153b3, sha256:66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18, etc for any supported JVM MessageDigest (this is usually a small set including MD5, SHA-1, SHA-256, and SHA-512).

Users should consult the documentation for their Java version to see which MessageDigest format are supported for their platform.

Users may in theory be able to extend this by adding bouncy castle to the classpath, although this will not be tested nor verified in this PR.

---

TODO list

• Implement Digest class for parsing, holding, comparing digests
• Unit test Digest class
• Implement Plexus DigestConverter to allow parsing digests to Digest objects in pom.xml configuration blocks
• Unit test DigestConverter class
• Remove all references of *.utils.Digests, and replace with this new Digest class
• Add optional digest attribute to URL plugins
• Validate digest of URL resource if the digest is provided in the configuration
• Add optional digest for protoc executable if specified as a URL.
• Report user-friendly errors if digests do not match
• Implement new integration tests
• Minor version bump
• Update documentation for MOJO goals
• Update user guide markdown documentation

Closes GH-699.

[codecov]

Codecov Report

Attention: Patch coverage is 89.09091% with 12 lines in your changes missing coverage. Please review.

Project coverage is 91.51%. Comparing base (aca2f46) to head (e87c52a).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...pes/protobufmavenplugin/protoc/ProtocResolver.java	58.34%	4 Missing and 1 partial ⚠️
...tobufmavenplugin/plugins/BinaryPluginResolver.java	55.56%	3 Missing and 1 partial ⚠️
...thub/ascopes/protobufmavenplugin/utils/Digest.java	93.75%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #701      +/-   ##
==========================================
- Coverage   91.91%   91.51%   -0.39%     
==========================================
  Files          56       58       +2     
  Lines        1667     1755      +88     
  Branches      105      115      +10     
==========================================
+ Hits         1532     1606      +74     
- Misses         99      111      +12     
- Partials       36       38       +2     

Files with missing lines	Coverage Δ
...pes/protobufmavenplugin/fs/UriResourceFetcher.java	100.00% <100.00%> (ø)
...enplugin/generation/ProtobufBuildOrchestrator.java	88.42% <100.00%> (ø)
...protobufmavenplugin/mojo/AbstractGenerateMojo.java	100.00% <100.00%> (ø)
...otobufmavenplugin/mojo/plexus/DigestConverter.java	100.00% <100.00%> (ø)
...n/mojo/plexus/ProtobufMavenPluginConfigurator.java	100.00% <100.00%> (ø)
...protobufmavenplugin/plugins/JvmPluginResolver.java	83.34% <100.00%> (ø)
...otobufmavenplugin/sources/ProtoSourceResolver.java	81.40% <100.00%> (+0.22%)	⬆️
...n/sources/incremental/IncrementalCacheManager.java	90.91% <100.00%> (ø)
...pes/protobufmavenplugin/utils/DigestException.java	100.00% <100.00%> (ø)
...thub/ascopes/protobufmavenplugin/utils/Digest.java	93.75% <93.75%> (ø)
... and 2 more

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.