Security Fix: Add checksum verification of dynamic asm downloads

[steelhead31]

Fixes #876

Include MD5 checksum verification of ASM downloads.

[github-actions]

Thank you for creating a pull request!

Please check out the information below if you have not made a pull request here before (or if you need a reminder how things work).

Code Quality and Contributing Guidelines

If you have not done so already, please familiarise yourself with our Contributing Guidelines and Code Of Conduct, even if you have contributed before.

Tests

Github actions will run a set of jobs against your PR that will lint and unit test your changes. Keep an eye out for the results from these on the latest commit you submitted. For more information, please see our testing documentation.

In order to run the advanced pipeline tests (executing a set of mock pipelines), it requires an admin to post run tests on this PR.
If you are not an admin, please ask for one's attention in #infrastructure on Slack or ping one here.
To run full set of tests, use "run tests"; a subset of tests on specific jdk version, use "run tests quick 11,21"

[sxa]

Simplicity suggestion
Also suggest adding Ref: TOB-TEMURIN-xx in the description as a reference for these fixes :-)

Noting that downloading and using an MD5 checksum file from the same place as the tarball is not ideal, but since the version can be dynamically obtained from a build.properties file we can't hard code it along with the version number (unless we add that to build.properties)

I'm ok to approve this as-is so we have some sort of check, but we should create an issue to come up with a better solution for the future.

[sxa]

Approving, but as per earlier comment let's get another issue created to look at doing this in a better way in the future - and to look for other similar instances

[Haroon-Khel]

ping @karianna for rereview