Add sha256 and sha256_src attributes to maven_jar

[jin]

..and print warnings if sha256 or sha256_src aren't used, like this:

WARNING: /usr/local/google/home/jingwen/code/copybara/WORKSPACE:192:1: maven_jar rule @junit//jar: Not using a checksum to verify the integrity of the artifact or the usage of SHA-1 is not secure (see https://shattered.io) and can result in an non-reproducible build. Please specify the SHA-256 checksum with: sha256 = "90a8e1603eeca48e7e879f3afbc9560715322985f39a274f6f6070b43f9d06fe",

WARNING: /usr/local/google/home/jingwen/code/copybara/WORKSPACE:192:1: maven_jar rule @junit//jar: Not using a checksum to verify the integrity of the artifact or the usage of SHA-1 is not secure (see https://shattered.io) and can result in an non-reproducible build. Please specify the SHA-256 checksum with: sha256_src = "694f4694a51f67dadea4d2045742d38fb4efb92d82d42744b15e26ce653bcd3e",

The warning message is designed to be copy paste-able directly into the WORKSPACE file.

#6799
#8880

RELNOTES: Added sha256 and sha256_src attributes to maven_jar. Please consider migrating to SHA-256 as SHA-1 has been deemed cryptographically insecure (https://shattered.io). Or, use rules_jvm_external to manage your transitive Maven dependencies with artifact pinning and SHA-256 verification support.

[aiuto]

I'm happy to see this. When I saw your change for not https+sha1j a few days ago I found it incredible that we only has sha1 hashes for maven. I was going to ask you about it.

This looks great. Just nits about wording. I believe we do people a favor by not "suggesting" they swtich, but telling them they must switch.

[aiuto]

I don''t know if we need the "please" in all of these. This is a strong recommendation and my hunch is we will fully remove sha1 in 2.0. I think you are fine with
"A SHA-1 hash of the desired jar source file. (Deprecated: use sha256)"