plugin bundling scripts need to check checksum when downloading

[illume]

Describe the bug

There are some plugin bundling scripts for the app and the container image which download plugins without checking their checksums. The risk is that some files might be corrupted or changed.

Related files:

• build-manifest.json
• app-build-manifest.json
• app/scripts/setup-plugins.js
• container/fetch-plugins.sh

Probably there are other files that call these.

The package command generates a sha256 checksum, so probably we should use that?

We might want to think of this holistically as being part of the publishing process.

Additional Context

Probably this functionality should live in headlamp-plugin. Currently it's in two different scripts.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale