Re-enable app shim code signature checking with fixes.

Two changes:
- Remove the IS_OFFICIAL_BUILD check (don't require official builds to
  be signed for app shims to run at all).
- Construct a custom designated requirement to verify the app shim,
  which checks its identifier and that its certificate matches the
  browser's.

For now, keep failures log-only.

This reverts commit add2f7a11d13cf857b95ccb575afcd5d66690532.

Bug: 913362, 923612
Change-Id: I1c536e2172519dbf8e5b36a2dd9b5f1b26fb8302
Reviewed-on: https://chromium-review.googlesource.com/c/1427385
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Sidney San Martín <sdy@chromium.org>
Auto-Submit: Sidney San Martín <sdy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#625394}
3 files changed