track hashes for all TBB dep source files
I think that to increase the ability for people to build TBB, we should track the expected hashes in git. I also think that during the ```source-dance```` target, we should ensure that before we unpack anything that we have verified the downloaded files have the expected hashes.