debootstrap: use --force-check-gpg

I asked for such a switch to be added in debootstrap back at the start of
2015 in #775454 as part of a review I undertook of its security. A slightly
modified patch was merged a few months later and made it into version
1.0.69.

A patch was never merged into live-build to make use of it however. Let's
do that now.

The benefit of this, as explained in #775454, is that if we want strong
security (LB_APT_SECURE=true) then should debootstrap not be able to find
the GPG key to verify things with, it will abort with an error instead of
falling back to just https downloads with a warning. Such a warning would
be easy to miss in the log output, and security could potentially be
compromised if this were to happen.

Gbp-Dch: Short

1 files changed, 2 insertions, 0 deletions

diff --git a/scripts/build/bootstrap_debootstrap b/scripts/build/bootstrap_debootstrap
index c25cbacec..6da968343 100755
--- a/scripts/build/bootstrap_debootstrap
+++ b/scripts/build/bootstrap_debootstrap
@@ -71,6 +71,8 @@ fi
 if [ "${LB_APT_SECURE}" = "false" ]
 then
 	DEBOOTSTRAP_OPTIONS="${DEBOOTSTRAP_OPTIONS} --no-check-gpg"
+else
+	DEBOOTSTRAP_OPTIONS="${DEBOOTSTRAP_OPTIONS} --force-check-gpg"
 fi
 
 if [ "${LB_CACHE_PACKAGES}" = "true" ]