verify uboot flash.bin with sha1

Our scripts download two things: Debian packages to populate the image and the unpackaged u-boot binary. Debian package integrity is verified using GPG with the trust root set in the system running the script via the debian-archive-keyring package. To make sure that nothing unexpected gets downloaded we also verify the SHA1 hash of the uboot binary.

This was proposed by IRC user erle here: https://mntre.com/reform-irc-logs/2022-06-10.log.html#t00:14:01