Verify FILE_CKSUM (sha256) in pkg_summary(5) on download.

[riastradh]

This is important for detecting version rollback attacks -- verifying a signature on the package itself doesn't help, because the old one also has a valid signature.

Relies on patch proposed for pkg_install to make pkg_info -X generate the FILE_CKSUM lines: https://mail-index.NetBSD.org/tech-pkg/2026/01/06/msg031853.html

(Based on #140 to make schema changes easier and more reliable.)

[jperkin]

I have a couple of issues with this.

Firstly it breaks builds outside of pkgsrc:

$ make
/Library/Developer/CommandLineTools/usr/bin/make  all-am
  CC       pkgin-actions.o
actions.c:45:10: fatal error: 'sha2.h' file not found
   45 | #include <sha2.h>
      |          ^~~~~~~~
1 error generated.
make[1]: *** [pkgin-actions.o] Error 1
make: *** [all] Error 2

I've put a reasonable amount of effort into making pkgin build separately from pkgsrc, and would like to retain that. There are some options for pulling in a compat sha2 if the system doesn't provide one but they either use a different API or end up pulling in quite a lot more code. I'd need to investigate this further.

Secondly I'm not keen on sha256 being hardcoded in a bunch of places, and have an aversion to spaces in column names. Given the pkg_summary format allows for arbitrary hashes, I think I'd prefer a separate table where these are stored along with an associated hash per entry for extensibility.

I'm happy to work on this, but just wanted to post something to say that I am looking at this, as I need to cut a new pkgin release now for the pkgtools upgrade issue and this will have to be deferred until later. I have added initial FILE_CKSUM to pkgsrc-rs so have a test-bed for this, and am looking to extend that to support different hash types.