Support hash-checking mode in `pip-sync`

[konstin]

See https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode

• Support hash-checking mode in pip-compile output #131
• Read hashes from requirements.txt format (https://pip.pypa.io/en/stable/reference/requirements-file-format/#per-requirement-options)
• Compute the sha256 when downloading a distribution (both source dist and wheel), store them in the cache (and make sure to keep in sync with cache invalidation) or check that they match the File description (TODO: Does this have a perf impact? If yes, do we always want to do this or only if the registry doesn't tell us the sha?)
• When installing, check the hashes
  • Ignore distribution with mismatching hashes: A better matching wheel might have been uploaded since the lockfile was created, but we have to ignore it in hash checking more and fall back to the next file. Report when there is no distribution because non matched the hashes (but would without hashes)

[charliermarsh]

I've started to work on this. Doing something I've never done, sharing my existing notes on how it works: https://astral-sh.notion.site/Hash-checking-in-uv-fd27f5a51e8f4f5f8547a183fbf3e006