pkg_info -X: Add FILE_CKSUM (sha256)

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

The pkg_summary(5) file documents the following syntax:

     FILE_CKSUM
             (optional) A checksum type supported by digest(1) and checksum
             separated by space character.

But it was apparently never implemented in `pkg_info -X'.  This patch
implements it, with SHA256 for now.

This allows a client to verify that the .tgz file it got by reference
from a pkg_summary is the same as the one the pkg_summary meant.
This is important for detecting version rollback attacks -- signing
the package itself doesn't help.  (Patch to pkgin to verify the hashes
coming.)

pkg_install already uses the NetBSD sha2(3) API in pkg_admin, so this
brings in no new library dependencies.  (Any other hash might.)

OK?

diff --git a/pkgtools/pkg_install/files/info/show.c b/pkgtools/pkg_install/files/info/show.c
index daf3bdba6a08..80e9599d1129 100644
--- a/pkgtools/pkg_install/files/info/show.c
+++ b/pkgtools/pkg_install/files/info/show.c
@@ -60,6 +60,11 @@ __RCSID("$NetBSD: show.c,v 1.33 2012/02/21 18:32:14 wiz Exp $");
 #if HAVE_ERR_H
 #include <err.h>
 #endif
+#ifndef NETBSD
+#include <nbcompat/sha2.h>
+#else
+#include <sha2.h>
+#endif
 
 #include "defs.h"
 #include "lib.h"
@@ -378,6 +383,7 @@ show_summary(struct pkg_meta *meta, package_t *plist, const char *binpkgfile)
 
 	if (binpkgfile != NULL && stat(binpkgfile, &st) == 0) {
 	    const char *base;
+	    char sha256[SHA256_DIGEST_STRING_LENGTH];
 
 	    base = strrchr(binpkgfile, '/');
 	    if (base == NULL)
@@ -386,7 +392,7 @@ show_summary(struct pkg_meta *meta, package_t *plist, const char *binpkgfile)
 		base++;
 	    printf("FILE_NAME=%s\n", base);
 	    printf("FILE_SIZE=%" MY_PRIu64 "\n", (uint64_t)st.st_size);
-	    /* XXX: DIGETS */
+	    printf("FILE_CKSUM=sha256 %s\n", SHA256_File(binpkgfile, sha256));
 	}
 
 	print_string_as_var("DESCRIPTION", meta->meta_desc);