APK /sign/file can output unaligned ZIPs

[g-k]

Summary of discussion from #148 (review) and our IRC channel.

The problem:

• some APKs contain uncompressed media files, our JAR repacking (and go zipalign) compresses everything. This can break loading those files.
• APK: add ZIP packing strategy #153 adds an option to not compress everything. However, the resulting ZIPs are still misaligned since it copies everything over

Possible solutions:

• fix our alignment algorithm (see APK dont compress media #148 (comment))
• don't align ZIPs in autograph; have callers run C++ zipalign
  • if callers zipalign after signing, this modifies the resulting file hashes which makes auditing usage of the resulting APKs harder
  • if callers zipalign before signing i.e. we only accept pre-aligned ZIPs and append signature files (compressed so alignment isn't affected), we still need to work around the golang stdlib not supporting appending to ZIPs
• switch to /sign/hash provide gradle plugin for gpg and apk signing #149 to avoid the issue. This is also 1) the most forward facing (i.e. can add support for more signing algs), 2) avoids sending the whole APK over the wire, and 3) provides nicer tooling for our Android devs

[g-k]

motivating bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1495540

[g-k]

Autograph should focus on signing, so we'll have clients run zipalign after signing (see also #149), deprecate the compress all and zip alignment with the goal of removing them eventually.