update the cert used for OTA verification when signing

The build system now (in donut) produces builds that use the testkey
cert for OTA package verification.  Change the app-signing script to
also optionally substitute the "real" cert in both the recovery and
system images.  Also fix bug where the build fingerprint and
description were not getting properly updated in the recovery
partition.