this package is a little weird because there is only ever one valid "version."
later versions invalidate previous versions and there is no way to retrieve
older versions after a new version is released. (see the 'urls' file.)

if verification fails, it may just be that 'cacert.pem' has been updated and
the checks have not yet been regenerated and pushed.

pulling any version older than the latest version is not supported, even if
those older versions are listed in the 'checks' file.  the 'checks' file here
is mostly of historical significance.