Feature: Validate downloaded binaries by file hash

[kmturley]

Relates to #4861

A malicious actor or maintainer not following best-practices for Release versioning, could swap out a binary file on a GitHub Release without the Heroic team knowing. It could be downloaded and bundled into a Heroic Release without their knowledge. This could break functionality or worse expose Heroic users to attack vectors.

This feature ensures that downloaded binaries from other projects, match the expected file hashes in this project. If the hash changes, assume the file has changed and the file needs to be checked for Viruses again. This feature could be used in conjunction with VirusTotal checking #4868 to validate binaries are safe for Heroic users.

When a Release version number is updated, the corresponding hash should also be updated in meta/downloadHelperBinaries.ts to prevent the script from throwing an Error and blocking builds.

Steps:

• Run pnpm download-helper-binaries
• Script will download binaries as before
• Now checks the file hash against the list of known hashes
• If there is a mismatch, that means the file has changed, throw an Error to prevent the file being bundled.

Example error thrown:

Error: - x64/win32/GalaxyCommunication.exe (Hash mismatch) received 'abc208076a778ee738cae8451c9be7ab33c9787b0b69b2e7e4ffc70becc39e1e' expected 'bbb64b92fd9af97c4dc020aaa2a4bbe392bac84c22d60fc6224805e119842e38'

---

Use the following Checklist if you have changed something on the Backend or Frontend:

• Tested the feature and it's working on a current and clean install.
• Tested the main App features and they are still working on a current and clean install. (Login, Install, Play, Uninstall, Move games, etc.)
• Created / Updated Tests (If necessary)
• Created / Updated documentation (If necessary)