Handle mismatched algorithm between `Docker-Content-Digest` and requested digest

[Wwwsylvia]

The distribution-spec v1.1.1 defines the behavior of the Docker-Content-Digest header for pulling manifests as follows:

The Docker-Content-Digest header, if present on the response, returns the canonical digest of the uploaded blob which MAY differ from the provided digest.
If the digest does differ, it MAY be the case that the hashing algorithms used do not match.
See Content Digests ^apdx-3 for information on how to detect the hashing algorithm in use.
Most clients MAY ignore the value, but if it is used, the client MUST verify the value matches the returned manifest.
If the <reference> part of a manifest request is a digest, clients SHOULD verify the returned manifest matches this digest.

This means that a registry may accept a HEAD or GET request with a digest using sha512, yet return a Docker-Content-Digest header computed with canonical digest algorithm sha256. Currently, oras-go v2 does not support this scenario and fails validation if the algorithms do not match.

We see two potential solutions:

1. If the algorithm used in the Docker-Content-Digest header differs from the one in the request, simply ignore the header for digest verification.
2. If the response includes content, validate it using the algorithm specified in the Docker-Content-Digest header. This approach introduces extra compute cost in addition to the validation between the content and the requested digest.

[Wwwsylvia]

For pushing manifests, the statement in the spec is different:

The Docker-Content-Digest header returns the canonical digest of the uploaded blob, and MUST be equal to the client provided digest.