Protect against hash conflicts

[zkat]

I'm starting to think that cacache should start storing secondary integrity hashes in the index. Direct content address reads can still potentially yield bad data, but if you provide a key, cacache will interpret checksum conflicts as regular checksum failures (by using the stronger algorithm for data verification), and then it's up to the user to figure out what to do with it.

In the case of, say, pacote, what would happen on a tarball conflict is simply treating the conflict as corruption and then it would re-fetch the data.

idk if this is worth the effort -- if you're using cacache with weak checksums (it defaults to sha512!), then you're basically asking for trouble, but the reality is the npm registry still relies on sha1, and alternative registries will continue to do so further into the future.