Only remember the signer certificates for Signatures

Previously we would use the JarEntry#getCertificates API which would
return a flattened array of all the signers and their certificate chain.
Since this isn't what was intended, switch to reading the certificate
chains and only paying attention to the signer certificate.

In order to migrate during upgrades of the platform, we'll scan on boot
with a compatibility mode which will check the stores signatures in the
old format by flattening the chains of the scanned packages then
comparing the two sets.

Bug: 13678484
Change-Id: I02a5c53121d8d6f70a51d7e3b98168a41e11482e