Checksums for external deps we download

[daniel-j-h]

I was just checking out how we build platform independent wheels (good job here, thanks! 🙇‍♂️) and it looks like we are downloading and using some external dependencies (like boost, zlib).

To guarantee for reproducibility and pin down what we bake into the wheel we should probably make sure the downloaded file's checksums match to what we expect. And if not error out.

[wiktorn]

This is good idea. As we are moving towards manylinux2010, there will be no "our" downloads. All will be done either by multibuild or we will relay on Centos binary packages.

For multibuild I propose that handle the integrity checks within multibuild itself.

This still will not guarantee bit-for-bit reproducibility (e.g. security updates in dependant libraries), but I guess this will improve trust in what we build.