Validate identifier and version of download packages

[AdmiringWorm]

Checklist

• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

When a package is downloaded from a source, we are not validating that the identifier and version matches the values that we expected to download.

See the original NuGet GitHub Advisory: GHSA-g4vj-cjjj-v7hg (low on the client side, High on the NuGetGallery Server side).

Describe The Solution. Why is it needed?

We should always ensure that we are attempting to install the expected package when it is possible to do this. That includes ensuring that the downloaded file matches the metadata that had been specified when we looked up the package.

User Story

As a user installing packages
I want to ensure that a package being installed matches the metadata
so that malicious interception of packages can be prevented.

Additional Context

This was added in the NuGet PR: NuGet#7284 with a followup for tests: NuGet#7296

This is a low priority due to package installations will fail due to logic in Chocolatey CLI that looks up expected paths after the package has been extracted on disk.

Acceptance Criteria

• Package reporting different identifier than the downloaded package throws an exception
• Package reporting different version than the downloaded package throws an exception

Related Issues

No response

┆Issue is synchronized with this Clickup task by Unito