more `fdroid nightly` polishing

This are hopefully the last fixes needed to make fdroid nightly dead simple to add to GitLab CI and Travis CI. The big change is that it now resigns the APK before it includes it in the repo. That is so there does not need to be a "prepare" command that installs the debug.keystore before the build runs. This way, fdroid nightly just needs to be called once at the very end of the build.

Since I was touching some of the APK signing stuff, I also added common.sign_apk() which will hopefully replace the signing code in fdroidserver/publish.py. It includes code to try to use SHA-256 for APK signatures as much as possible. Check that commit message for more info. Once it proves stable in fdroid nightly, it can be used in fdroid publish. That should hopefully save us some pain when SHA-1 gets removed.

You can see runs of this in my fdroidclient fork: https://gitlab.com/eighthave/fdroidclient/pipelines/14656229