Following up on ROX-27488 and related other tagging tasks (ROX-26026, ROX-27384, ROX-27716), it makes sense to introduce a check that the embedded versions are the ones which we passed into containers.

There's a number of hoops it takes from the place which decides the image tag (and hence the version) until this appears in the ultimate executable and so any failure there can cause the product to be ultimately not installable (worse only under some conditions). The idea is to implement a check in the pipeline which would fail the pipeline if the recorded embedded version differs from the image tag.

This requires extracting specified executables from the image and looking up string data within them.