apt/package.py: Use all hashes when fetching packages

The md5 hash was removed in 1.9.0, but still used here. Convert
the code to use the new HashStringList support.

Closes: #944696
LP: #1858972
CVE-2019-15795

(cherry picked from commits 31811d3e,
 and 6c4f875b)

Also check that we have trusted hashes when downloading

1.9.1 switched the code from using md5 to hash string list, but
never checked that we actually had usable hashes. Do that check
now and raise a new exception if it failed.

This regression was tracked in Debian Bug #946597