From PowerShell.org fork:  Users of the resource can specify validation parameters based on the file's expected hash, digital signature, or both.

New:  Original Package and xPackage resources were setting the ServerCertificateValidationCallback property to {$true}, which may as well just be labelled "making malicious websites' jobs easy."

The resource now uses default behavior, refusing self-signed or otherwise invalid certificates.  Users can specifiy their own script block for the new ServerCertificateValidationCallback property, if they so choose.  (And they can be more secure about it, such as pinning a specific self-signed certificate by its thumbprint, etc.)

To do:

- Figure out how to test this stuff in Pester.  I've tested it manually, but we need a running web server to test this.  Maybe find something we can kick off from the command line locally in the tests, rather than relying on IIS.
- Add examples for usage of the new properties.