Add pip-hashes to complement pip-requirements.

For stronger build integrity, the build tools as downloaded should be
verified against hashes that this repo's maintainers also concur are
authentic.

Note the "unsafe" qualifier for setuptools is not troublesome [1], but
still pinning pip itself could be a problem [2]

Not pinning pip means that container definitions that pip install
--upgrade pip -r requiremenst.txt will fail. The base container's pip
package should be sufficient to install the edk2 build dependencies.

There are many hashes this tool adds for single release versions because
one tool version can get released on many platforms and Python versions.

The tool stores hashes in alphabetical order rather than in a release
list order. I have not culled any since there is no "official"
development platform to weed out unnecessary hashes. If we decide that
only the CI toolchain containers matter, then we should cull after first
showing that they can handle --require-hashes in the pip-install step.

[1] jazzband/pip-tools#806 (comment)
[2] pypa/pip#6459

Signed-off-by: Dionna Glaze <[email protected]>

Author: deeglaze