Check repo index timestamps

The Update Framework documents provide a nice discussion of possible attacks against update systems. One example is a "rollback attack", where the attacker just serves the old signed index.jar to keep all clients from updating their apps. That allows the attacker to exploit known vulnerabilities in those un-updated apps.

While this is a reasonably hard attack, this fix is an important step towards removing the requirement for trusting the web server operator. Ultimately, it should be able trusting the index signing key only. Then it doesn't matter were the files come from, it just matters that they are verifiably signed by the index signing key.

This does not address "freeze attacks" since it allows an index update with the same timestamp. I did that deliberately to slowly ramp up the security checks in order to avoid problems along the way. Code-wise, blocking freeze-attacks is mostly a matter of changing the timestamp check from < to <=.