Relax requirements for stable SHA on the signature part of the package

[sfc-gh-ptabor]

Currently when signature part of package changes, it triggers immediate failure of the build process (especially when the lock-file is used).

Here we prefer to use the predefined hash to fetch the artifact (for perfomance reasons) and to have the warning printed if the SHAs does not match -> but still allow the build process to proceeed.

[sfc-gh-ptabor]

@thesayyn Please take a look in context of your comment: https://github.com/chainguard-dev/rules_apko/issues/42#issuecomment-1850630445

to avoid hard fails, in case the signature change, we only cache control and data and let signature to be fetched as needed. that's the reason why we don't specify checksum for signature fetches.

I experienced the hard fail -> and it seems we need to fix it.

[thesayyn]

@sfc-gh-ptabor can you resolve conflicts?