feat: add support for hash checking

[aduh95]

$ corepack yarn@3.2.1+sha256.deadbeef
Internal Error: Mismatch hashes. Expected deadbeef, got 4e66b50e036d75c28ccd3fb96350bf3901b0a88e4f561da6c2ad5109552a7380
    at IncomingMessage.<anonymous> (/Users/duhamean/Documents/corepack/dist/corepack.js:15884:24)
    at IncomingMessage.emit (node:events:549:35)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

I'm not sure it's how we want to do it, according to semver.org, we could use build suffix to the version number (e.g. yarn@3.2.1+hash), that would force us to pick a hashing algorithm (which is not a problem in itself, but could create issues in the future if it becomes outdated).

EDIT: with a new version we're now using semver compatible suffix for the hash.

Fixes: #37

[merceyz]

that would force us to pick a hashing algorithm

Not necessarily, you can include the algorithm in the build metadata as well.

yarn@3.2.1+sha512.hash

[aduh95]

that would force us to pick a hashing algorithm

Not necessarily, you can include the algorithm in the build metadata as well.

yarn@3.2.1+sha512.hash

Ah yes, that’s right – IIUC dot is not a valid character, but we could use a dash (unless there are algorithms using a dash in their name?) EDIT: dot is actually valid, and probably what makes the most sense for our use case.

[merceyz]

A dot is perfectly valid, see the examples in https://regex101.com/r/vkijKf/1/ from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string

[arcanis]

Quite elegant solution 👍

[aduh95]

I just realised I'm checking the hash of the JSON metadata instead of the tarball 🤦‍♂️ Converting to draft for now.

[arcanis]

nit: we don't test sha1, which is what #137 uses

[aduh95]

Makes sense, I've switched to SHA1 and SHA224 in the tests as those are more credible options for hash algorithms.