check signature and OpenSSL after APK has proven valid

If working with a random grabbag of APKs, there can be all sorts of
issues like corrupt entries in the ZIP, bad signatures, signatures that
are invalid since they use MD5, etc.  Moving these two checks later means
that the APKs can be renamed still.

This does change how common.getsig() works.  For years, it returned
None if the signature check failed.  Now that I've started working
with giant APK collections gathered from the wild, I can see that
`fdroid update` needs to be able to first index what's there, then
make decisions based on that information.  So that means separating
the getsig() fingerprint fetching from the APK signature verification.

This is not hugely security sensitive, since the APKs still have to
get past the Android checks, e.g. update signature checks.  Plus the
APK hash is already included in the signed index.
2 jobs for duplicate-apk-processing in 29 minutes and 7 seconds (queued for 8 minutes and 37 seconds)
Status Job ID Name Coverage
  Test
passed #17687923
metadata_v0

00:03:31

passed #17687922
test

00:25:35