Verify downloaded archives

[tcely]

Introduces end-to-end asset verification (hash + OpenPGP manifest), GitHub API/header and URL helpers, filesystem-backed caching and response storage, signing-key retrieval with cache/failover, CI runner normalization, package/build script updates, and exposes a verified download checksum output.

---

See oven-sh/bun#28931 for the canary failures.

Downloading a new version of Bun: https://github.com/oven-sh/bun/releases/download/canary/bun-darwin-aarch64.zip
Verifying via asset metadata: bun-darwin-aarch64.zip
GitHub API digest matched! (sha256:04e851f8137a42d3867eb572133cf72ac1fea440e0e0bc96f842f7e75451330c)
Retrieved verified public key from keys.openpgp.org.
Trusted Key ID: 8eab4d40a7b22b59
Trusted Fingerprint: F3DCC08A8572C0749B3E18888EAB4D40A7B22B59
Checking PGP signature...
  - Key ID	: 8eab4d40a7b22b59
  - Fingerprint	: F3DCC08A8572C0749B3E18888EAB4D40A7B22B59
  - Signed On	: 2026-03-11T14:21:29.000Z

Signature verified successfully.
Error: Error: Integrity Failure: Local hash (04e851f8137a42d3867eb572133cf72ac1fea440e0e0bc96f842f7e75451330c) does not match manifest (13a74e3bd58259cee7d9242ed28d66e8eb65c6bfa97af00f8ef92fa7b29bb8e6)

Obtained version 1.1.0 from package.json
Downloading a new version of Bun: https://github.com/oven-sh/bun/releases/download/bun-v1.1.0/bun-linux-x64.zip
Retrieved verified public key from keys.openpgp.org.
Trusted Key ID: 8eab4d40a7b22b59
Trusted Fingerprint: F3DCC08A8572C0749B3E18888EAB4D40A7B22B59
Checking PGP signature...
  - Key ID	: 8eab4d40a7b22b59
  - Fingerprint	: F3DCC08A8572C0749B3E18888EAB4D40A7B22B59
  - Signed On	: 2024-04-01T16:28:47.000Z

Signature verified successfully.
Successfully verified bun-linux-x64.zip (PGP + SHASUMS256.txt)