Upgrade to latest Sigstore TUF client

[haydentherapper]

Description

Tracking issue for the using the new Sigstore TUF client, https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go. This client adds support for using the new trusted root metadata and improves caching logic.

This removes support for the per-target custom metadata, ie https://github.com/sigstore/scaffolding/blob/b0d09de38f7ea4ee5939a52cebadbc7127d4e127/pkg/repo/repo.go#L44-L48, which is used for private deployments. Given this will be a breaking change in Cosign, we can either switch to this client as part of Cosign 3.0, announce deprecation and wait X months, or support both TUF clients via a flag (temporarily, we would still announce deprecation of the previous TUF client).

cc @codysoyland @kommendorkapten

Ref: https://github.com/sigstore/scaffolding/issues/1001

[haydentherapper]

A few implementation notes:

• We likely can support both TUF clients concurrently without a flag. We may be able to use the same cache folder too, needs confirmation.
• We'll need to modify how the individual service targets are fetched, as the API differs between the previous and new sigstore TUF clients
• We should update the e2e tests to generate the trusted root file and serve a local TUF repository
• To test, we simply need to initialize against the production TUF repo, which is currently distributing a trusted root file

[haydentherapper]

Another implementation note, as per https://github.com/sigstore/sigstore-go/issues/38, we can now initialize multiple clients for different repositories each with its own local cache, which covers the use case of verifying against multiple trusted roots (eg the public instance + a private instance). We can add this around the same time.