releasetools: Fix the payload public key replacement.

update_engine expects the extracted public key instead of the
certificate.

Bug: 28701652
Change-Id: I292d39da9e039f96d01a4214226aeb46f8cb881d
(cherry picked from commit afaf295cb8)

tools/releasetools/sign_target_files_apks.py

@@ -502,10 +502,14 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
             " as payload verification key.\n\n")
 
     print "Using %s for payload verification." % (mapped_keys[0],)
-    common.ZipWrite(
+    cmd = common.Run(
+        ["openssl", "x509", "-pubkey", "-noout", "-in", mapped_keys[0]],
+        stdout=subprocess.PIPE)
+    pubkey, _ = cmd.communicate()
+    common.ZipWriteStr(
         output_tf_zip,
-        mapped_keys[0],
-        arcname="SYSTEM/etc/update_engine/update-payload-key.pub.pem")
+        "SYSTEM/etc/update_engine/update-payload-key.pub.pem",
+        pubkey)
 
   return new_recovery_keys