Add embedded TUF root update mechanism

[jku]

Keeping the embedded TUF root updated (like in #414) is not required but it's useful as clients then download less on the first run.

The update itself is a little annoying to do though: how do you ensure the PR content is correct? I came up with this solution in sigstore-python (sigstore/sigstore-python#1301):

• Makefile rule that
  • runs the client just enough to securely update the cached root
  • copies the cached root into the sources
• Workflow that
  • executes the make rule on cron
  • files an issue if the root embedded in source changed

This has two uses:

1. it files an issue if embedded root does not match current root
2. gives maintainers an easy way to create a PR (or verify it)

Feel free to steal the relevant parts from sigstore-python

[codysoyland]

Thanks @jku, that's a great script. I was actually just thinking about writing something similar using tufie, but if this already works, I'm down for including it!

[haydentherapper]

+1, this would be a great addition.

[jku]

I was actually just thinking about writing something similar using tufie, but if this already works, I'm down for including it!

It will need some modification to switch the sigstore-python specific bits with sigstore-go ... but should be a good starting point.

At least I would use sigstore-go itself (and not some other client) to fetch the current root, that feels correct.