(#13260) Use mktmpdir when downloading packages
This fixes a security vulnerability in the appdmg and pkgdmg providers where
they would curl packages directly into /tmp and the install them, allowing an
attacker to craft a symlink and overwrite arbitrary files or install arbitrary
packages.