I have been thinking on ways to check the integrity of the files before and after the decompression method takes place. Even though the main goal of the library is decompress files, I think it is important to not forget about some basic security measures. I would be interested to know if this would be used and how.

These would be a list of nice-to-have features:

Before decompression:

• Check that the file is a valid format file. Some commands provide this option and for the rest, an attempt to open the file could determine if it's correct or not.
• Provide an expected checksum for the file and check that is correct.

After decompression:

• Provide a list of files that should be in the decompressed folder and check that corresponds with the decompressed files.
• Provide an expected checksum for the decompressed structure and check that is correct.

Any comments? /cc @javiereguiluz

I really like this proposal. This is something that we definitely would use for the Symfony installer. As a matter of fact, the checksums for all the Symfony components are publicly available in this repo.

This is an example of the checksums published for the Filesystem component version 2.5.6, so we have the files, ZIP and other checksums to verify:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

package:    symfony/filesystem
version:    2.5.6
sha1:       4e62fab0060a826561c78b665925b37c870c45f5
zip_sha1:   a2d74e96873a94e8cc3fb3ee09ef32cb85aa32f7
files_sha1: 73e283c78f86bb33e039bf58da02023dbae46f36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iF4EAREIAAYFAlRKCNkACgkQ64qmmlZsB5V1FAD+IYcIBdbXwpvBYRaDDKK35p9o
uDxt+3f4WRlPGRCwECQA/1HR6pQp4mEdlGolqDctgwlxAOzt29r0xA5BBumO6BNU
=eSZV
-----END PGP SIGNATURE-----