Pre package pull check

[jsallay]

Is your feature request related to a problem? Please describe.

Zarf packages can become quite large. Sometimes I want to download new packages (zarf package pull) and make sure that old packages haven't been corrupted. I can't see a way to check if the package that I pulled has been modified from what is in the package registry.

Describe the solution you'd like

I can run a sha256sum on a pulled package. It would be nice if I could check the hash for a package in the registry without downloading it first. It be something like:

zarf package pull --hash-only oci://...
# or
zarf package get-hash oci://...
# or
zarf package check oci://...  <path-to-downloaded-file>

Describe alternatives you've considered

With docker images I can run docker manifest inspect and get the info that I'm looking for, but I'm not sure that I can get the same info with zarf. I have a harbor registry and I can look up the sha hash there, but it doesn't match that of the file.

It's possible that there is already an easy way to do this and I'm just not aware.

Additional context

Add any other context or screenshots about the feature request here.