The `RemoteAsset` rule should sanity check downloaded files where possible

[michaelpj]

It appears that downloading tarballs from GitHub can sometimes succeed but give you a truncated file (we've been observing this, and I can't see any other explanation). This is pretty bad, because it poisons the cache: we will just keep trying to unpack the tarball and fail, and nothing will change on a rerun.

The only sensible solutions I can think of are:

1. Teach RemoteAsset that the target URI is, say, a .tar.gz file, and then test it before succeeding. In the case that I found, gunzip --test found the problem.
2. Require specified hashes for all sources in the meta.toml. This will be pretty painful but we'd need it if we wanted Nix support anyway, so maybe we should just do it. See Allow pinning the content of remote sources with hashes #45

C.f. NixOS/nix#4533 (we're using a new enough curl that the specific problem there shouldn't be happening, and I don't know why it is happening, but it definitely is happening)