restorePackageArchiveForKey copied a cached package archive out of the
build cache and returned its recorded archive_hash/signature verbatim,
with no check that those still matched the file's actual bytes. This
was asymmetric with storePackageArchiveForKey, which does verify before
caching. If the cached archive bit-rotted or was otherwise overwritten
on disk, a stale/wrong hash+signature pair would be handed back as if
it described the restored bytes.
Fix by re-hashing the copied archive and comparing against the recorded
archive_hash before returning it. On mismatch, treat the entry as a
cache miss (matching the self-healing convention used elsewhere in this
cache) so the caller rebuilds the package fresh instead of trusting
metadata that doesn't match the restored file.
Add a regression test that stores a real archive, corrupts the cached
copy on disk to simulate bit rot, and confirms restorePackageArchiveForKey
now returns null instead of a mismatched hash/signature pair. Verified
the test fails without the fix (a non-null result is returned and
leaked, since nothing frees a hit the caller wasn't expecting).