Support for Custom target fields

[ChevronTango]

As seen in https://tuf-repo-cdn.sigstore.dev/targets.json the targets.json can contain a custom field for holding additional data about the target.

{
   "signed":{
      "_type":"targets",
      "spec_version":"1.0",
      "version":7,
      "expires":"2023-10-04T13:26:23Z",
      "targets":{
         "artifact.pub":{
            "length":177,
            "hashes":{
               "sha256":"59ebf97a9850aecec4bc39c1f5c1dc46e6490a6b5fd2a6cacdcac0c3a6fc4cbf",
               "sha512":"308fd1d1d95d7f80aa33b837795251cc3e886792982275e062409e13e4e236ffc34d676682aa96fdc751414de99c864bf132dde71581fa651c6343905e3bf988"
            },
            "custom":{
               "sigstore":{
                  "status":"Active",
                  "usage":"Unknown"
               }
            }
         },
         "ctfe.pub":{
            "length":177,
            "hashes":{
               "sha256":"7fcb94a5d0ed541260473b990b99a6c39864c1fb16f3f3e594a5a3cebbfe138a",
               "sha512":"4b20747d1afe2544238ad38cc0cc3010921b177d60ac743767e0ef675b915489bd01a36606c0ff83c06448622d7160f0d866c83d20f0c0f44653dcc3f9aa0bd4"
            },
            "custom":{
               "sigstore":{
                  "status":"Active",
                  "uri":"https://ctfe.sigstore.dev/test",
                  "usage":"CTFE"
               }
            }
         },
         ...

This is incredibly valuable for services like sigstore. Right now when I try and generate a targets file using tuftool create there is no option to add this extra data, and if I add it manually and run tuftool update the new fields are deleted.

My current solution requires these fields be present so right now the tuftool is not generating an output I can use, so it would be incredibly valuable for tuftool to support them.

Maybe implemented as an additional update command such as:

tuftool update-target "my-target.pub" --custom '{"sigstore": {"status": "Active","uri": "https://rekor.sigstore.dev/","usage": "Rekor"}}' --key my-target-key.pem

[jku]

Supporting this feature is not a bad idea but I'll leave a bit more detail:

• sigstore has moved away from using this mechanism and instead provides well known files in the repository (see trusted_root.json for an example). The old files with custom metadata are still provided but only for backwards compat purposes
• custom metadata has some tricky security implications when combined with delegated targets: generally speaking you should not use custom metadata to decide which files you want to download (like sigstore was doing). It's not problematic if you only have a top-level targets but potentially becomes an issue when there are multiple targets metadata files