add support for validating checksums

There are two issues to address with this:

* checksums to validate the download was complete and correct (checking the checksum file in a repo should be good enough for this)
* checksums to validate that the download is from the original author

The latter is much harder. We'll have to implement PGP support so we can check the signature on the checksum file.