Integrity protection for NW.js downloads

[timmclean]

Currently, this installer downloads the NW.js binaries over insecure HTTP, leaving them open to malicious tampering (your computer could get pwned). Ideally, the binaries would have PGP signatures (pending nwjs/nw.js#3071) that could be verified, or would be available over HTTPS (pending nwjs/nw.js#3062).

I'd like to suggest an alternative that would be fairly simple to implement in the meantime. The autobump script could calculate the SHA-2 hash for each NW.js archive and save these hashes to package.json. When the install script runs, it could verify the downloaded file against the appropriate hash. It wouldn't be quite NSA-proof, but it would be a lot better than nothing.

If you're OK with this, I think I could put together a pull request with these changes sometime this week.

Cheers,
Tim

[shama]

I'd be happy to support it when nw.js itself supports HTTPS downloads. I think implementing our own interim solution might just be adding complexity for false security.

Also please follow this issue regarding signed packages via npm: node-forward/discussions#29

I have subscribed to nwjs/nw.js#3062 and will follow up when that issue has been resolved.

Closing as a duplicate of: #2