[RFE] Support the hash_sha256 attribute for regular packages

[pothos]

Current situation

Flatcar packages have a sha256 sum in the postinstall extension, and extra file packages have sha256 sums for the extra files.
However, regular application packages don't have a sha256 sum available.

Impact

Only sha1 is available for regular packages and it's not deemed secure enough anymore.

Ideal future situation

The user can always supply a sha256 hash sum (and it's sent on the wire in hex encoding as clarified in the Omaha 3.1 spec).

Implementation options

For Flatcar packages we could calculate the hex sha256 sum on the fly from the postinstall extension where it's stored in base64, see backend/pkg/syncer/syncer.go for the conversion (introduced in https://github.com/kinvolk/nebraska/pull/629/files).
For other packages we could also reuse the FlatcarAction field but hide all other attributes except Sha256.

Additional information

3.0 spec mentioning both attributes: https://github.com/google/omaha/blob/main/doc/ServerProtocolV3.md#package-response
earlier 3.0 spec only mentioning the sha1 hash: https://github.com/google/omaha/blob/main/doc/ServerProtocol.md#package-element
3.1 spec: https://chromium.googlesource.com/chromium/src.git/+/master/docs/updater/protocol_3_1.md#update-checks-body-update-check-response-objects-update-check-response-9