Use new WineHQ Debian package repository key

[nurupo]

Please don't use unauthenticated packages in user scripts. It wouldn't be as bad if unauthenticated packages were used only in the CI as we don't provide any build artifacts there, but that script is also meant to be used by people to produce toxcore dlls through the cross-compilation, it's in the INSTALL.md instructions, it's not just for CI.

Anyway, the issue was that WineHQ has changed their package signing key:

W: GPG error: https://dl.winehq.org/wine-builds/debian stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
W: The repository 'https://dl.winehq.org/wine-builds/debian stretch InRelease' is not signed.
...
WARNING: The following packages cannot be authenticated!
  wine-devel-amd64 wine-devel-i386:i386 wine-devel wine-devel-dbg winehq-devel
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
The command '/bin/sh -c sh ./get_packages.sh' returned a non-zero code: 100

(Full log)

You can see the notice about the key being changed on WineHQ website:

The WineHQ repository key was changed on 2018-12-19. If you downloaded and added the key before that time, you will need to download and add the new key and run sudo apt update to accept the repository changes.

That's my primary source about the key change ^.

I have also faced this key change issue on my own system in December and given how no noise was raised over it for what is now several weeks, it does indeed appear like they simply have changed the key rather than that they got compromised. It would help if they have confirmed the key change on one more resource other than the website, but I couldn't find it being mentioned anywhere else.

I have also added a key fingerprint check in the script, because I figured that if the the package repository is compromised they might as well update the public key to match the signatures of compromised packages and we wouldn't know any better that the key has changed since we download the key every time we use the repository. (We have noticed the change only because they didn't overwrite the old Release.key key with the new one, they instead put it under the new winehq.key filename). Without that fingerprint check we might as well not bother using the key and use --allow-unauthenticated, so this check is important to have.

---

This change is 

[CLAassistant]

Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov]

Codecov Report

Merging #1284 into master will increase coverage by <.1%.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           master   #1284     +/-   ##
========================================
+ Coverage    83.3%   83.3%   +<.1%     
========================================
  Files          82      82             
  Lines       14869   14869             
========================================
+ Hits        12388   12394      +6     
+ Misses       2481    2475      -6

Impacted Files	Coverage Δ
toxcore/onion_client.c	95.5% <0%> (-0.7%)	⬇️
toxcore/net_crypto.c	94.8% <0%> (-0.1%)	⬇️
toxcore/Messenger.c	87% <0%> (+0.2%)	⬆️
toxcore/friend_connection.c	96% <0%> (+1.1%)	⬆️
auto_tests/toxav_basic_test.c	83.5% <0%> (+1.9%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1ddc922...ebf3a82. Read the comment docs.

[nurupo]

Windows builds: https://travis-ci.org/TokTok/c-toxcore/builds/475157088.

[iphydf]

Reviewed 1 of 1 files at r1.
Reviewable status: 0 of 1 approvals obtained (waiting on @robinlinden)

[robinlinden]

Reviewed 1 of 1 files at r1.
Reviewable status: complete! 1 of 1 approvals obtained (waiting on @robinlinden)