Collect APK certificates after an OTA, rather than relying on timestamps

Checking APK file modified timestamps is not a reliable signal to
determine that the APK signature may have changed. APKs in the system
image (anything that passes through add_img_to_target_files) have all
file timestamps rewritten to 2009-01-01, for instance, so timestamp will
explicitly fail to detect changes in the platform key across an OTA.

Bug: 80093599
Bug: 74501739
Test: Verified OTA between test-keys and dev-keys worked for 2 builds
with same APK timestamps, and signature changes were picked up.
Change-Id: Id3e5afbfe22e63d70cd176f1e438e2fa143ccd65