Allow apex packages to be signed with key that has rollback capability

When a key is rotated with a new key, it may continue to trust the old
one. As such, trusted old key should be able to update.

We no longer need to handle "key-downgrade" separately in any situation.
An update will be installed iff it is signed by a trusted key (even
during Rollbacks/Downgrades).

Bug: 136002636
Test: atest StagedInstallTest#testTrustedOldKeyIsAccepted
Change-Id: I3455bd00e13a9271fe25cfaac1476ad7e55eb5f3