Add defense-in-depth verification for downloaded Unraid ZIPs

[elibosley]

Scope:

• Security hardening/enhancement for installer runtime ZIP handling.
• Does not block making the repository public unless release owners choose to gate launch on this defense-in-depth work.

zip.sh downloads release metadata and ZIP payloads, while create_flash_boot.sh extracts the selected ZIP and executes make_bootable_linux from that archive as root.

Risk:

• Compromised metadata, transport, mirror content, or an unexpected URL can become root code execution.
• Stronger host and payload verification would reduce supply-chain exposure before archive-provided code runs as root.

Acceptance criteria:

• Release URLs are constrained to approved hosts and schemes.
• ZIP payloads are verified through a signed manifest or independently trusted checksum before use.
• Root execution of archive-provided scripts is explicitly justified, minimized, and gated on verification success.
• Failure messaging clearly tells users when integrity verification fails.

[elibosley]

Release-readiness triage update on 2026-05-20:

Keeping this open as security hardening, not as a public visibility or public artifact release blocker. Current zip.sh already constrains release ZIP downloads to the expected https://releases.unraid.net/dl/ path and supported Unraid ZIP filename shape.

Remaining work is the stronger trust boundary described here: signed manifest or independently trusted checksum verification before archive-provided code is used. That is worthwhile defense-in-depth, but it should not be represented as required before making the repo public.