handle dependency issue in python-tuf client test

[jku]

• pip started doing weird dependency resolution decisions today: https://github.com/sigstore/root-signing/actions/runs/8941735691/job/24562752010

• 1224 pins tuf version which seems to fix the resolution again

The timing makes me believe the recent securesystemslib release "caused" this: the new version does not have the pynacl option anymore IIRC so that makes sense... but it shouldn't affect anything since tuf explicitly doesn't use the new securesystemslib yet :shrug:

I'll look at this next week

[jku]

Apparently the order of package names matters to pip:

pip install tuf securesystemslib[pynacl] results in installation of securesystemslib-0.31.0 and tuf-4.0.0

pip install securesystemslib[pynacl] tuf results in installation of securesystemslib-1.0.0 tuf-3.1.1.

(there's clearly some bug involved as well since without the extra pynacl option both commands have the same result)

[jku]

I think the current code is fine for now:

• the issue appeared because older tuf releases did not specify compatible securesystemslib release ranges
• setting tuf version to at least 4.0 works around that

We shouldn't be directly installing libraries in CI test scripts anyway: this will hopefully be fixed when we integrate #929 -- root-signing-staging has tests that avoid this already (it uses a TUF test action and actual sigstore CLI clients instead )