makepkg: immutable git sources by hashing the checkout content

This feature makes Git VCS build inputs immutable by adding support for pinning a Git checkout by a hash of its content using the deterministic export functionality git archive.

This feature aids packagers by allowing them to use simple and convenient refnames (instead of full commit hashes) in the PKGBUILD while still preserving security implications of immutable build inputs using a trusted cryptographic hash function of the content.

Previously VCS source downloads have been skipped for --geninteg and --source as both options did not need a checkout. This commit changes this behavior by forcing the download of all sources as integrity checks and generation requires to have an up to date state.

Signed-off-by: Levente Polyak anthraxx@archlinux.org