Add support for rotating compromised key in sharedUserId

Currently, when a package in a sharedUserId rotates its signing key
and revokes the SHARED_USER_ID capability from the previous key,
this package cannot be updated in an existing sharedUserId if another
package in the sharedUserId is signed with the previous key. In the
case of a key compromise, this delays rollout of the SHARED_USER_ID
capability revocation because all packages in the sharedUserId must
be updated to the new key first, then updates to those packages must
be pushed that revoke this capability. If any device were to miss
the initial rollout with the capability still granted, then those
devices will not be able to update the packages that have since
revoked the capability from the previous key. This commit adds
support for rotating a compromised key in a sharedUserId by
allowing packages that have revoked this capability from the
previous key to join sharedUserIds with one or more packages signed
by this previous key if the package is already a member of the
sharedUserId; new installs are not allowed to join until all
packages in the sharedUserId have rotated off the untrusted key.
This commit also adds support for system packages to be part of
a sharedUserId without this capability granted as long as they share
a common lineage.

Bug: 243701925
Test: atest PkgInstallSignatureVerificationTest
Change-Id: If935a00eec8fdce29e18444b7fd943f62b458ebd