sign and verify update

This is a set of updates to the APK signing and verifying based on the work setting up https://verification.f-droid.org. The most important part is support of the new apksigner tool from Google, over Java's jarsigner. jarsigner is difficult to use properly when working with APKs. This makes the whole fdroid verify process more robust. Though this does deal with verifying signatures, this is not the most security sensitive part of the code. This is mostly QA checks, like that an APK has a valid signature before shipping it. Nonetheless, extra eyes on this would be most appreciated @CiaranG @grote @uniqx @TheZ3ro @thestinger