`--ssl-no-revoke` disables TLS certificate revocation on all binary downloads

[Raze3478]

Every download in install-core.ps1 uses the following curl invocation:

curl.exe -L --ssl-no-revoke --progress-bar <URL> -o <dest>

The --ssl-no-revoke flag disables certificate revocation checking entirely.
This applies to downloads of:

• Ollama (from GitHub Releases)
• AnythingLLM (from cdn.anythingllm.com)
• All GGUF model files (from huggingface.co)

If any of these CDNs were serving content under a revoked or compromised
certificate, curl would not detect it — the download and subsequent execution
would proceed silently.

For a tool explicitly marketed on privacy and zero-trust operation, bypassing
revocation checking is a meaningful gap in the trust chain.

Expected behaviour
TLS revocation checking should be active. Removing --ssl-no-revoke is
sufficient on modern Windows builds where OCSP/CRL support is functional.

For the Ollama release binary specifically, published SHA256 checksums are
available in the GitHub release assets. Post-download verification against
those checksums would provide an additional integrity layer independent of TLS.

Proposed fix

• Remove --ssl-no-revoke from all curl.exe calls in install-core.ps1
• Add SHA256 checksum verification for the Ollama binary after download,
  using the hash published in the corresponding GitHub release

[ViperNetwork]

Acknowledged — this, along with other issues #61 and #62 are being tracked and will be addressed in the Improvements-by-Marshmallow.Projects branch currently in progress.

Will update this thread once the relevant changes are pushed for review.