Use signatures on restore

On restore now, the backup manager gets the signature blocks corresponding to
the restore set from the transport.  It then validates those signatures against
the on-device app signatures, and refuses to restore data to an app whose
on-device sig block does not match the backup image's.

Also actually implement 'bmgr transport N' so that we can select the local
transport easily during runtime.