Support for GPG signatures using SHA1 is disabled in apt >= 1.4, as mentioned here, under (1.4~beta1):
https://launchpad.net/debian/+source/apt/+changelog
or more detail in distribution
/usr/share/doc/apt/NEWS.Debian.gz
The error can be viewed with:
diff --git a/scripts/live-build-config b/scripts/live-build-config
index 7141df0..2f3e23c 100755
- a/scripts/live-build-config
+++ b/scripts/live-build-config
@@ -56,6 +56,7 @@ lb config noauto \
--firmware-binary false \ --updates true \ --security true \
+ --apt-options "--yes -oDebug::Acquire::gpgv=true" \
--apt-indices false "${@}"
"""
And the behavior reverted with the (not recommended) option:
diff --git a/scripts/live-build-config b/scripts/live-build-config
index 7141df0..2a1f64a 100755
- a/scripts/live-build-config
+++ b/scripts/live-build-config
@@ -56,6 +56,7 @@ lb config noauto \
--firmware-binary false \ --updates true \ --security true \
+ --apt-options "--yes -oDebug::Acquire::gpgv=true -oAPT::Hashes::SHA1::Weak=true" \
--apt-indices false "${@}"
"""