Test them before moving them to the final location.
This makes the download fial of there is some file corruption etc.
This adds a dependency on the zstd exectuable for the fetch-assets
command.
Motivated by https://github.com/msys2/msys2-main-server/issues/42
We currently allow some users to manually upload packages (in case
they take too long for CI, or to bootstrap things).
In case of an account takeover this would allow an attacker to upload/replace
files in staging. To reduce the risk a bit ask for confirmation when downloading
the manually uploaded files.
Also add a "--noconfirm" option so we can avoid the questions in the staging
download script.
Ideally we would require users to sign their files, but this helps a bit at least.
