Make download_hash.sha1 optional

[HebaruSan]

Motivation

Currently we always calculate both the SHA1 and the SHA256 for all mods. This is redundant and wastes CPU time. KSP-CKAN/CKAN#4135 began the process of making the SHA1 optional; the client now ignores download_hash.sha1 for purposes of validating downloads if download_hash.sha256 is set (which is always).

The infra uses download_hash.sha1 in two places:

• The 8-character file prefix for archive.org upload ZIPs
  (The client also does this and will need to be updated in a subsequent pull request)
• Comparing to the sha1 received from archive.org to confirm that a previously uploaded file matches the bot's copy

Changes

• Now if download_hash.sha1 is absent, we use download_hash.sha256 for the 8-character archive.org file prefix instead. This will not cause collisions because the file prefix comes after the identifier+version bucket string, so the exact same mod version would have to have an SHA1 and SHA256 starting with the same 8 characters. And even if that happened, it's perfectly fine for both to point to the same file!
• Now if download_hash.sha1 is absent, the Mirrorer calculates the SHA1 from the downloaded/cached file to check whether it matches one already on archive.org

This will move us another step closer to the point of being able to drop SHA1 from the metadata completely.