Try not to crash the system server because of corrupt restore data

When we're about to allocate an array based on the restore data for purposes of
unflattening a signature block, don't automatically assume that it's valid.  If
it's corrupt [and we've seen this in practice] we can wind up trying to allocate
an array with 1.8 million objects, and throw an OutOfMemoryError, bringing down
the system.

This change arbitrarily decides that no package should have more than 20
signatures in its block, and aborts the restore if the metadata is thus revealed
to be corrupt.