fix: add file integrity verification to prevent corrupted downloads #1327

[Locon213]

Summary

This PR addresses the issue where downloads sometimes result in corrupted archive files. The problem was reported in #1327, where user experienced SHA256 checksum mismatches when downloading files through Gopeed compared to browser downloads.

Problem

User reported that downloaded archive files were corrupted, with SHA256 checksums not matching the expected values. The same files downloaded through browser built-in downloaders were correct.

Solution

Implemented comprehensive file integrity verification with SHA256 and CRC32 hash computation for all downloads.

Changes

Backend (Go)

• Added VerifyIntegrity configuration option for both HTTP and BT protocols
• Implemented SHA256 and CRC32 hash computation for downloaded files
• Added Sha256 field to HTTP stats and FileHashes map to BT stats
• Fixed race condition in chunk download by holding connMu lock through the entire read-check-write-update cycle
• Added error handling for servers that return 200 instead of 206 for range requests
• Always compute file integrity hashes on download completion (not just when VerifyIntegrity is enabled)
• Return error only when VerifyIntegrity config is enabled and verification fails
• Added additional fields to stats: Crc32, FileSize, ExpectedSize, IntegrityVerified
• Improved file size verification with graceful handling of mismatches
• Added comprehensive tests for integrity verification functionality

Frontend (Flutter)

• Added verifyIntegrity toggle to HTTP and BT configuration settings UI
• Added localization strings for the new setting
• Created new Stats model and API endpoint (getTaskStats)
• Added HashInfoDialog modal for viewing detailed hash information
• Display integrity verification info in task detail drawer for completed downloads
• Added security icon button in completed task cards to open hash info dialog
• Added copy buttons for SHA256 and CRC32 hashes
• Visual indicators for verification status (green for verified, red/orange for issues)
• Localization for hash info UI (English and Russian)

Key Features

1. Automatic integrity checking: All downloads now compute SHA256 and CRC32 hashes upon completion
2. Configurable strict mode: Users can enable VerifyIntegrity to fail downloads that don't pass integrity checks
3. User-visible hash information: Users can view and copy hash values to verify against known good values
4. File size validation: Compares actual vs expected file size from server
5. Visual verification status: Clear indicators showing whether integrity was verified successfully

Testing

• Added TestFetcher_IntegrityVerification to verify hash computation works correctly
• Enhanced TestFetcher_Stats to validate all integrity fields
• Updated TestDownloader_Stats to verify integrity information is available through the API

Related Issue

Closes #1327

[codecov]

Codecov Report

❌ Patch coverage is 38.23529% with 42 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.88%. Comparing base (daa8c39) to head (e6f26af).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/protocol/bt/fetcher.go	0.00%	22 Missing ⚠️
internal/protocol/http/fetcher.go	56.52%	13 Missing and 7 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1333      +/-   ##
==========================================
- Coverage   71.21%   70.88%   -0.33%     
==========================================
  Files          49       49              
  Lines        6566     6630      +64     
==========================================
+ Hits         4676     4700      +24     
- Misses       1460     1495      +35     
- Partials      430      435       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[monkeyWie]

Thanks for the PR and the effort you put into this! I appreciate the detailed implementation.

However, I've decided not to merge this approach. After careful consideration, I feel that integrating file integrity verification as a built-in feature adds more complexity than it solves for the core use case.

The hash computation on every completed download, the additional UI surface, the per-protocol config toggles, and the new API model all introduce ongoing maintenance burden that I'd prefer to avoid at this time.

If file integrity checking is needed, I think it would be better suited as an extension/plugin rather than a core feature — that way users who need it can opt in without affecting the baseline download flow.

Thanks again for your contribution!