raise warning if insecure sha-1 certificate fingerprint is passed to nuget.exe sign command

[kartheekp-ms]

Bug

Fixes: https://github.com/NuGet/Client.Engineering/issues/2931

Description

Deprecate the usage of SHA-1 fingerprints in NuGet.exe sign command especially for CertificateFingerprint option. Instead, allow nuget.exe sign command to accept SHA-2 (SHA-256, SHA-384 and SHA-512) family fingerprints for searching a local certificate store for the certificate.

Here is how the nuget.exe sign command works after this PR has been merged:

• Validates the certificate fingerprint to ensure it is either SHA-1, SHA-256, SHA-384, or SHA-512 algorithm. Throws an error otherwise.
• Raises a warning if a SHA-1 certificate fingerprint is provided. This warning will be promoted to an error in the future.
• While searching for a certificate from the local store, if a SHA-1 hash is provided, finds the certificate using the existing API i.e. store.Certificates.Find(X509FindType.FindByThumbprint, options.Fingerprint, validOnly);
• If a SHA-256, SHA-384, or SHA-512 certificate fingerprint is provided, loops through the certificates in the store to find the certificate with the matching hash.

I made similar changes to the dotnet sign command in #5895.

PR Checklist

• Meaningful title, helpful description and a linked NuGet/Home issue
• Added tests
• Link to an issue or pull request to update docs if this PR changes settings, environment variables, new feature, etc. https://github.com/NuGet/Client.Engineering/issues/2876