SHA1 checksum not checked by default

[mmcco]

I definitely think it's a good idea to ship the app with this turned on. It might take a little while, but presumably if someone's running a chrooted Debian environment on their phone they can handle waiting through a SHA1 computation.

If you/I wanted to get particularly fancy, the app could include a Debian release signing key and validate the signature as well.