Speed up the checksum computation in the verification JavaScript
Our verification JavaScript uses the Forge library to compute the checksum of the download.
We chose Forge because it was the fastest in this benchmark of JavaScript checksum implementations.
We cannot use the native SubtleCrypto.digest() API because it cannot read files as streams and would require loading the entire image in memory before computing its checksum.
We also rely on reading the image as a stream to display the progress bar, which is really important since the whole verification takes close to 1 minute.
We might be able to speed up the computation by using WebAssembly.
The requirements for this work would be:
- To fallback to Forge is WebAssembly is unavailable. For example, WebAssembly is disabled in the "Safer" security level of Tor Browser, while the verification with Forge works at this security level.
- To build reproducibly. So we can trust the binary build.