Verify kernel archive SHA-256 digests

[haoruilee]

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

Motivation and Context

Closes #1687

The default kernel archive is downloaded from a remote release URL during first-run setup and via container system kernel set --recommended. Previously, the archive contents were not verified
after download, so integrity depended only on HTTPS and the release artifact remaining unchanged.

This change adds Homebrew-style url + sha256 verification for kernel archives. The recommended/default kernel now has a pinned SHA-256 digest, and container system kernel set --tar accepts
--sha256 so custom local or remote tar archives can be verified before unpacking and installation.

Testing

• Tested locally
• Added/updated tests
• Added/updated docs

Validated on macOS:

• swift test --filter KernelServiceTests passed
• swift test --filter ConfigurationLoaderTests passed
• container system kernel set --tar <remote-url> --binary <path> --sha256 <digest> succeeded and containers ran successfully

[kasc0206]

审查意见 / Review

This is a well-crafted security improvement. The SHA-256 digest verification for kernel downloads is an important addition.

优点 / Strengths

1. End-to-end implementation: From CLI flag → config → XPC message → server-side verification, the full pipeline is covered
2. Backward compatible: sha256 is String? with default nil, so existing configs work unchanged
3. Smart defaults: Auto-populates the default SHA-256 when using the default kernel URL, while allowing custom values for custom URLs
4. No breaking API changes: All new parameters have sensible defaults
5. Proper error messaging: The --sha256 can only be used with --tar

Suggestion

• Consider adding a --sha256-verify flag with --sha256-verify=false to allow users to explicitly skip verification, rather than relying on nil meaning "no verification". But this is optional — current behavior is reasonable.

已验证 / Verified

• Code compiles with swift build ✅
• Follows existing project patterns (XPC keys, Config struct, ProgressBar)

Great contribution!

[kasc0206]

Code Review Summary / 代码审查摘要

Strengths / 优点

1. End-to-end implementation: From CLI flag (--sha256) → Config (sha256 in TOML) → XPC message → server-side verification, the full pipeline is covered
   端到端实现：从 CLI 参数到配置到 XPC 消息到服务端校验，完整链路覆盖
2. Backward compatible: sha256 is String? with default nil — existing configs work unchanged
   向后兼容：sha256 为可选的 String? 类型，现有配置无需修改
3. Smart defaults: Auto-populates the default SHA-256 when using the default kernel URL, while allowing custom values for custom URLs
   智能默认值：使用默认内核 URL 时自动填充默认 SHA-256，自定义 URL 可自行指定
4. No breaking API changes to callers: All new parameters have sensible defaults
   无破坏性 API 变更：所有新参数都有合理的默认值
5. CLI validation: --sha256 correctly rejected when used without --tar
   CLI 参数校验：--sha256 不带 --tar 时正确报错

Suggestion / 建议

Consider adding a --sha256-verify / --sha256-verify=false flag to let users explicitly skip verification. Currently, nil means "no verification", which is reasonable but implicit.
考虑增加 --sha256-verify 标志，让用户能显式关闭校验。当前 nil 表示"不校验"是合理的但较隐晦。

Verification / 验证

• Code compiles with swift build ✅
• Follows existing project patterns (XPC keys config, ProgressBar, Config struct)

Great contribution! / 优秀的贡献！