Add integrity verification for installer downloads

[KerwinTsaiii]

Summary

auplc-installer downloads binaries/scripts (k3s, helm, k9s, manifests) and executes/uses them without checksum or signature verification. It also uses pipe-to-shell installation in one path.

Why this matters

This increases supply-chain risk: tampered or corrupted downloads could be executed with elevated privileges.

Current behavior

• Remote binaries/scripts are fetched and immediately used.
• No hash/signature verification step is enforced.
• Includes curl ... | sh style install path.

Expected behavior

Downloaded artifacts should be cryptographically verified before execution/use.

Proposed fix

• Pin and verify checksums/signatures for downloaded artifacts.
• Avoid pipe-to-shell where possible; download then verify then execute.
• Fail fast on verification mismatch.
• Document the trust model for online/offline installation paths.

Acceptance criteria

• Installer verifies integrity for all critical downloads.
• Verification failures stop installation with clear error messages.
• Docs describe verification behavior and update process for pinned versions.