Check the hash of the "Source" artifact entries in manifest file.

From item 5.2 of SOL004 documentation:

[...] the manifest contains the digests (hashes) for each individual file locally stored within the VNF package or referenced from it. Each file related entry of the manifest file includes the path or URI of the individual file, the hash algorithm and the generated digest. A consumer of the VNF package shall verify the digests in the manifest file by computing the actual digests and comparing them with the digests listed in the manifest file.

Currently the Hashes and algorithms are being read from the manifest file, but not checked with the related artifact.

Piece of example from the manifest, taken from item 5.3 of SOL004 document:

Source: MRF.yaml
Algorithm: SHA-256
Hash: 09e5a788acb180162c51679ae4c998039fa6644505db2415e35107d1ee213943
Source: scripts/install.sh
Algorithm: SHA-256
Hash: d0e7828293355a07c2dccaaa765c80b507e60e6167067c950dc2e6b0da0dbd8b
Source: https://www.vendor_org.com/MRF/v4.1/scripts/scale/scale.sh
Algorithm: SHA-256
Hash: 36f945953929812aca2701b114b068c71bd8c95ceb3609711428c26325649165

Related to the SOL004 "Option 1" of package security, but can also be combined in the "Option 2". Check items 5.1, 5.2 and 5.3 of the SOL004 documentation.

SOL004 v2.6.1 doc: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.06.01_60/gs_nfv-sol004v020601p.pdf