Extend build script with ability to verify tor binaries delivered with netlayer

[cd2357]

Add ability to check that the tor binaries delivered by netlayer match the officially distributed ones.

For official tor singatures and hashes, see v9.5.4 and v10.0.

[chimp1984]

Do they maintain historical versions as well? Could not find 9.5.3. which is used in current Bisq.

[cd2357]

I guess they don't, even the distribution directory link from their blog post announcing v9.5.3 doesn't work anymore.

They probably keep only the latest release of each major version, which is 9.5.4 and 10.0 right now.

(v9.5.4) is expected to be the final version of the Tor Browser 9.5 series
https://blog.torproject.org/new-release-tor-browser-954

[chimp1984]

Thats pretty bad practice IMO. We should keep a repo with historical data so anyone can verify it. To add a new repo where we add the official binaries and hash/sigs for each version Bisq uses would be good. As it seems current tor verion used cannot be verified I would suggest to update to one which we can verify asap. To maybe fork the netlayer project to bring it more under our own control might be good as well. We should remove those dependencies to 3rd party projects as far we can. Not sure if the dependency to cedrics repo is essential there as well, but that might be another candidate to look into how that is integrated in details.

[chimp1984]

@freimair: Could your respond to JesusMcCloud/tor-binary@56b7c8c#commitcomment-42932881 ?