tuf: init

[jleightcap]

TUF changes as introduced by #1 isolated in 30c3853.

this might provide the best foothold to upstreaming subcomponents, as it's a 'leaf' of the bundle sign+verify pipeline.

TODO:

• return owned types
• result .unwrap() cleanup

[jleightcap]

API changes evidenced through cosign tests:

   --> examples/cosign/verify/main.rs:250:48
    |
250 |             sigstore::tuf::SigstoreRepository::fetch(None)
    |                                                ^^^^^
    |                                                |
    |                                                function or associated item not found in `SigstoreRepository`
    |                                                help: there is a method with a similar name: `prefetch`

[tnytown]

@jleightcap For the CertificateDer ownership changes, I just realized that CertificateDer has a From for Vec<u8>: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/struct.CertificateDer.html#impl-From%3CVec%3Cu8,+Global%3E%3E-for-CertificateDer%3C'a%3E

Maybe we can use CertificateDer<'static> in conjunction with that?

[jleightcap]

Apologies for the bifurcation, I've realized these changes are pretty inseparable from the cosign refactor. I've opened a separate PR with that freestanding work: sigstore#305.

@tnytown I'll cross-reference your reviews on that PR.

[jleightcap]

@jleightcap For the CertificateDer ownership changes, I just realized that CertificateDer has a From for Vec<u8>: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/struct.CertificateDer.html#impl-From%3CVec%3Cu8,+Global%3E%3E-for-CertificateDer%3C'a%3E

Maybe we can use CertificateDer<'static> in conjunction with that?

For usage: https://github.com/sigstore/sigstore-rs/pull/305/files#diff-000f4bc6fc7f5d0a2c3971c76955a2c9854dfc8d27eb63dc581f44d83fd2c57fR194

I might be misunderstanding how that related to a certificate with a static lifetime?