prefer apksigner if installed, jarsigner sucks

Google has their own utility for verifying APK signatures on a desktop
machine since Java's jarsigner is bad for the task.  For example, it
acts as if an unsigned APK validates.  And to check whether an APK is
unsigned using jarsigner is difficult.

apksigner also does the v2 signatures, so it will have to be used
eventually anyway.  It is already in Debian/stretch and can be
available in jessie-backports if need be.

https://android.googlesource.com/platform/tools/apksig
https://packages.debian.org/apksigner
1 job for sign-and-verify-update in 21 minutes and 35 seconds (queued for 1 second)
Status Job ID Name Coverage
  Test
passed #12734145
test

00:21:35