check signature and OpenSSL after APK has proven valid
If working with a random grabbag of APKs, there can be all sorts of issues like corrupt entries in the ZIP, bad signatures, signatures that are invalid since they use MD5, etc. Moving these two checks later means that the APKs can be renamed still. This does change how common.getsig() works. For years, it returned None if the signature check failed. Now that I've started working with giant APK collections gathered from the wild, I can see that `fdroid update` needs to be able to first index what's there, then make decisions based on that information. So that means separating the getsig() fingerprint fetching from the APK signature verification. This is not hugely security sensitive, since the APKs still have to get past the Android checks, e.g. update signature checks. Plus the APK hash is already included in the signed index.