releasetools: check_target_files_signatures.py checks APEXes.

Only the container certs will be checked and reported. For the payload
within an APEX, we can't easily extract the cert info.

It needs to go along a longer path, if ever needed, by:
 - extracting public keys from all the available certs;
 - using each of them to verify against an APEX payload to find a match
   (`avbtool verify_image --image payload --key public_key`).

Bug: 123716522
Test: Run check_target_files_signatures.py on target_files with APEXes.
Change-Id: I2ef318e05433d2d65ab84e2dff9e01fb6ee3373d
(cherry picked from commit d8469727bc)

tools/releasetools/check_target_files_signatures.py

@@ -168,6 +168,7 @@ def CertFromPKCS7(data, filename):
 
 
 class APK(object):
+
   def __init__(self, full_filename, filename):
     self.filename = filename
     self.certs = None
@@ -244,12 +245,12 @@ class TargetFiles(object):
     # must decompress them individually before we perform any analysis.
 
     # This is the list of wildcards of files we extract from |filename|.
-    apk_extensions = ['*.apk']
+    apk_extensions = ['*.apk', '*.apex']
 
     self.certmap, compressed_extension = common.ReadApkCerts(
-        zipfile.ZipFile(filename, "r"))
+        zipfile.ZipFile(filename))
     if compressed_extension:
-      apk_extensions.append("*.apk" + compressed_extension)
+      apk_extensions.append('*.apk' + compressed_extension)
 
     d = common.UnzipTemp(filename, apk_extensions)
     self.apks = {}
@@ -272,7 +273,7 @@ class TargetFiles(object):
           os.remove(os.path.join(dirpath, fn))
           fn = uncompressed_fn
 
-        if fn.endswith(".apk"):
+        if fn.endswith(('.apk', '.apex')):
           fullname = os.path.join(dirpath, fn)
           displayname = fullname[len(d)+1:]
           apk = APK(fullname, displayname)