Verify checksums transparently by storing checksums in registries

[suzuki-shunsuke]

Feature Overview

Store checksums in registries and verify checksums.

Why is the feature needed?

As you know, aqua has the feature for checksum verification.

https://aquaproj.github.io/docs/reference/security/checksum/

This is very awesome, but this feature is disabled by default.
I think it's difficult to enable this feature by default because to enable this feature in Git projects users need to manage aqua-checksums.json with Git, which means users need to update aqua-checksums.json continuously.
We provide GitHub Actions and CircleCI Orb to automate the update of aqua-checksums.json,
but I don't think most of users set up them.
Unfortunately, I don't think most of users are so interested in the checksum verification.

⚠️ This is just my expectation, so maybe this is wrong.

So I don't think most people verify checksums, this is undesirable and dangerous.

By the way, Homebrew verifies checksums transparently by keeping checksums in formula.
It's so nice.

So I'm thinking that we store checksums in registries and aqua verifies checksums with them.
Users don't need to set up anything but aqua verifies checksums transparently.

This improves the security without harming the user experience.

Workaround

No response

Example Code

No response

Note

No response