Optionally use PGP to validate tarballs

[elric1]

No description provided.

[elric1]

This must work whilst still streaming the download, decompression, and tar xf -.

[elric1]

The way to do this properly is approximately:

    curl -o expected-sum $SHA256_URL
    use_pgp_to_validate expected-sum
    curl $iTB_URL | ( tee /dev/stderr | openssl sha256 > the-sum ) 2>&1 | lz4 -d | tar xvpf -
    if ! cmp the-sum expected-sum; then
        echo sigs don\'t match 1>&2
        exit 1
    fi

This still decompresses and unpacks the tarball during the download, thus maximising perfomance, but it also computes the sha256 at the same time so even that step won't slow things down. And it preserves the nice quality of the pipeline that it doesn't require additional disk for the intermediate object.

[elric1]

It might be better to use fd 3 rather than stderr, too, as we might lose error messages. Something more like:

    curl ... | ( tee /dev/fd/3 | openssl sha256 > the-sum ) 3>&1 | lz4 -d | tar xvpf -