This is an upstream issue created on tektoncd/pipeline repo https://github.com/tektoncd/pipeline/issues/8759 

Feature request

Add an optional hash, digest, or more appropriately named field to the HTTP resolver spec in which a user provides a hash of the content at the URL. If the field is populated, http resolver would enforce that the http response's content hashes to the same value.

The http resolver could also have a configuration setting to require this field.

Use case

As a security-minded Tekton user, I prefer using resolvers which have some security guarantees. The git resolver provides guarantees via git hashes and the bundles resolver provides similar guarantees via the bundle digest. However in some cases the http resolver is necessary, but as of right now there are no mechanisms to guarantee the content received from the http request is the content I expect. Further, in order to better secure the pipelines I would like to enforce that anyone authoring pipelineruns in my cluster are using secure practices.