Monitor tails-update-* in apt.lizard and regularly update the Debian signing keys

Requested by @intrigeri here:

Also, I think this happens every 2 years, when a new Debian is released, so on a quite predictable schedule (the release date was announced a month ago), and at least this time we ended up noticing the problem very late and having to deal with it in an emergency, which is a bit stressful. So, it would be nice if we could either have monitoring in place so you can react quickly when this breaks (it broke on Aug 9), or have this work planned in advance with someone ready to do it during the week after the new Debian release.