Currently functions in library_builders.sh do not verify integrity of downloaded files.

The good practice would be to include SHA256 hashes of the files among the versions and verify the checksum and fail the build on mismatch.

This can be achieved by adding new optional argument to fetch_unpack in common_utils.sh, which would take sha256 sum to verify against downloaded file.

Is this something, you'd like to see PR on?

Originally reported as osmcode/pyosmium-wheel-build#2, but as we move towards manylinux2010 the only "unsafe" downloads will be those done by multibuild.