Embed the most recent version of root.json in our launcher binary

[RebeccaMahany]

Currently, we embed the root.json file inside our launcher binary: https://github.com/kolide/launcher/blob/main/ee/tuf/assets/tuf/root.json

We want to change how we embed this file for a couple reasons:

1. The root.json metadata file has a one-year expiration. If the version we are shipping is expired, this can prevent launcher from being able to select the correct version of a binary until the TUF autoupdater exits its initial delay and performs an update.
2. We don't want to have to remember to update the root.json file every time we create a new version.
3. Shipping an outdated version of root.json means that the TUF autoupdater has to perform a couple extra HTTP calls to get the most recent version of root.json.
4. While we could ship an outdated version of root.json and force the TUF autoupdater to immediately fetch the latest version based on that -- via a call to metadataClient.UpdateRoots() -- this would slow down launcher startup due to the extra HTTP calls, which we don't want.

Our build process should be updated to embed the most recent version of root.json in the launcher binary.

Notes for implementation:

• We build launcher using our make command, which lives here. github-build is a good place to start looking in the Makefile to understand the build process.
• We should hardcode the contents of the first version of the root JSON, which is located at https://tuf.kolide.com/repository/1.root.json -- we want to ensure that we are definitely starting with valid, untampered metadata
• The build process should use the go-tuf library's UpdateRoots() to update from the first version to the most recent version -- the go-tuf library provides UpdateRoots() as a safe way to update and validate root metadata
• autoupdate.go's initMetadataClient may be a good starting point for getting set up to call UpdateRoots()
• pkg/packaging/fetch.go also relies on a separately-hardcoded root.json. Since this code is for packaging launcher into installers (so we don't care as much about performance), and since it already calls Update() (which calls UpdateRoots()), you can just leave this as it is.

[directionless]

This shouldn't be a change in pkg/make it should be a go generate somewhere.

[RebeccaMahany]

@directionless updated first bullet point accordingly