include APK signatures in build metadata file

This MR contains several changes which together enable us to serve apks signed be different entities for one version of an app.

• fdroid update now puts multiple APKs with the same packageName and versionCode into index-v1.json. (requires-client-changes?)

• added a new signer property to packages in index-v1.json. It contains the sha256 fingerprint of the singing key which has been used for signing the related APK.

• index-v1.json expresses installation preference of available APKs via the sort order of the packages-list. The higher up in the list the installation priority. (requires-clent-changes ✓)

• fdroid publish now searches for a signature in metadata/APPID/signatures/VERCODE/. If available it tires to publish an additional versions of corresponding APK, signed with the key from metadata. The file name will also contain the first 7 hexadecimal digits from the signingkeys sha256 fingerprint. (eg: info.guardianproject.browser_7010_d716207.apk) If not reproducible (ie. signature from metadata not valid for our build) the publishing attempt will fail.

• fdroid publish now stores the list of signing key fingerprints to stats/publishsigkeys.jar. It's a jared json file, signed with fdroids repo key. The key fingerprint is stored in config.py:repo_key_sha256 if not present, otherwise verified (trust on first use).

Closes #291 (closed)