fix #1652: Use GitHub API for standalone python checksums

Since the [20250708](https://github.com/astral-sh/python-build-standalone/releases/tag/20250708)
release, the [python-build-standalone](https://github.com/astral-sh/python-build-standalone)
project does not provide checksum files for individual artifacts, but
rather a single `SHA256SUMS` manifest file containing checksums for all
artifacts. However, since June 3, the GitHub API
[directly provides checksums for release artifacts](https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/).

Because we always fetch the latest release and it's been over a month
since the last cached index file, we can just save the checksums in
out cached index of Python versions.

Author: 13steinj

changelog.d/1652.bugfix.md

@@ -0,0 +1 @@
+Set up standalone python fetching to use checksums directly from the GitHub API.

src/pipx/standalone_python.py

@@ -10,7 +10,7 @@
 import urllib.error
 from functools import partial
 from pathlib import Path
-from typing import Any, Dict, List
+from typing import Any
 from urllib.request import urlopen
 
 from pipx import constants, paths
@@ -22,7 +22,7 @@
 # Much of the code in this module is adapted with extreme gratitude from
 # https://github.com/tusharsadhwani/yen/blob/main/src/yen/github.py
 
-MACHINE_SUFFIX: Dict[str, Dict[str, Any]] = {
+MACHINE_SUFFIX: dict[str, dict[str, Any]] = {
     "Darwin": {
         "arm64": ["aarch64-apple-darwin-install_only.tar.gz"],
         "x86_64": ["x86_64-apple-darwin-install_only.tar.gz"],
@@ -71,7 +71,7 @@ def download_python_build_standalone(python_version: str, override: bool = False
             logger.warning(f"A previous attempt to install python {python_version} failed. Retrying.")
             shutil.rmtree(install_dir)
 
-    full_version, download_link = resolve_python_version(python_version)
+    full_version, (download_link, digest) = resolve_python_version(python_version)
 
     with tempfile.TemporaryDirectory() as tempdir:
         archive = Path(tempdir) / f"python-{full_version}.tar.gz"
@@ -81,7 +81,7 @@ def download_python_build_standalone(python_version: str, override: bool = False
         _download(full_version, download_link, archive)
 
         # unpack the python build
-        _unpack(full_version, download_link, archive, download_dir)
+        _unpack(full_version, download_link, archive, download_dir, digest)
 
         # the python installation we want is nested in the tarball
         # under a directory named 'python'. We move it to the install
@@ -104,15 +104,13 @@ def _download(full_version: str, download_link: str, archive: Path):
             raise PipxError(f"Unable to download python {full_version} build.") from e
 
 
-def _unpack(full_version, download_link, archive: Path, download_dir: Path):
+def _unpack(full_version, download_link, archive: Path, download_dir: Path, expected_checksum: str):
     with animate(f"Unpacking python {full_version} build", True):
         # Calculate checksum
         with open(archive, "rb") as python_zip:
-            checksum = hashlib.sha256(python_zip.read()).hexdigest()
+            checksum = "sha256:" + hashlib.sha256(python_zip.read()).hexdigest()
 
         # Validate checksum
-        checksum_link = download_link + ".sha256"
-        expected_checksum = urlopen(checksum_link).read().decode().rstrip("\n")
         if checksum != expected_checksum:
             raise PipxError(
                 f"Checksum mismatch for python {full_version} build. Expected {expected_checksum}, got {checksum}."
@@ -142,7 +140,7 @@ def get_or_update_index(use_cache: bool = True):
     return index
 
 
-def get_latest_python_releases() -> List[str]:
+def get_latest_python_releases() -> list[tuple[str, str | None]]:
     """Returns the list of python download links from the latest github release."""
     try:
         with urlopen(GITHUB_API_URL) as response:
@@ -152,10 +150,10 @@ def get_latest_python_releases() -> List[str]:
         # raise
         raise PipxError(f"Unable to fetch python-build-standalone release data (from {GITHUB_API_URL}).") from e
 
-    return [asset["browser_download_url"] for asset in release_data["assets"]]
+    return [(asset["browser_download_url"], asset.get("digest")) for asset in release_data["assets"]]
 
 
-def list_pythons(use_cache: bool = True) -> Dict[str, str]:
+def list_pythons(use_cache: bool = True) -> dict[str, tuple[str, str | None]]:
     """Returns available python versions for your machine and their download links."""
     system, machine = platform.system(), platform.machine()
     download_link_suffixes = MACHINE_SUFFIX[system][machine]
@@ -168,23 +166,23 @@ def list_pythons(use_cache: bool = True) -> Dict[str, str]:
     python_releases = get_or_update_index(use_cache)["releases"]
 
     available_python_links = [
-        link
+        (link, digest)
         # Suffixes are in order of preference.
         for download_link_suffix in download_link_suffixes
-        for link in python_releases
+        for link, digest in python_releases
         if link.endswith(download_link_suffix)
     ]
 
-    python_versions: dict[str, str] = {}
-    for link in available_python_links:
+    python_versions: dict[str, tuple[str, str | None]] = {}
+    for link, digest in available_python_links:
         match = PYTHON_VERSION_REGEX.search(link)
         assert match is not None
         python_version = match[1]
         # Don't override already found versions, they are in order of preference
         if python_version in python_versions:
             continue
 
-        python_versions[python_version] = link
+        python_versions[python_version] = link, digest
 
     return {
         version: python_versions[version]