Don't verify signatures in ConfigUpdateInstallReceiver

Instead, require the intent sender to hold the new system-or-signature
UPDATE_CONFIG permission. An application holding this permission is
now responsible for verifying the integrity/source of an update, before
sending it to one of the ConfigUpdateInstallReceiver subclasses.

Bug: 8949824
Change-Id: I0925051c1dcef312b8508fb34927150ffbc346f9