Add support for verifying at least a hash of pdf.js

[girlbossceo]

While the app uses zero permissions so a deep compromise of it won't be very effective, there is no verification of pdf.js other than the (unsigned) tag from pdfjs-dist when building and nothing is verifying pdf.js when it's ran.

[thestinger]

I don't see any point of doing something at runtime since it's inside of the APK assets. It's not read from outside the APK. There isn't really anything we can do about them not signing tags beyond asking them to do that. It does get referred to via a GIt commit hash so there is a hash for people building PdfViewer themselves.