Ignition decompresses remote resource before verifying its hash

[bgilbert]

When retrieving a compressed resource, we first decompress the contents and then verify the hash of the decompressed data. This is consistent with a careful reading of the spec:

compression (string): the type of compression used on the contents (null or gzip). Compression cannot be used with S3.
verification (object): options related to the verification of the file contents.

This behavior is convenient in some ways, because it allows the server to vary the compression without affecting Ignition. But it also causes Ignition to decompress untrusted data, which is not great security practice. It might be okay for gzip, which is a heavily-deployed decompressor, but could be dangerous if we added support for less widely-used algorithms.