`--offline` should warn when the trust root is unreasonably old

[woodruffw]

--offline disables all possible online operations, including routine TUF trust root updates. This is desirable for offline environments where trust is pre-established or established asynchronously, but can result in users having very stale trust roots without realizing it (meaning they may be missing revocations or important rotations that allow them to verify new signatures):

Fixing this has two parts:

1. Determine an "acceptable" oldness policy. Considering trust roots "stale" after 24h might be reasonable, but might also be too noisy for some offline users.
2. Emit a warning when performing sigstore verify commands in --offline mode with a trust root that's older than the window chosen in (1).

From (2), there's maybe a (3): pick a "red line" after which the warning becomes a hard error, forcing the user to update. Maybe 24h for a warning and 1 week for the red line, although again this could use user/integrator feedback.

CCing @mgorny @sethmlarson for thoughts!

[woodruffw]

On a related note: sigstore-python currently tried to refresh the TUF root every time it's called, which is both slow (especially when looped over in a shell script) and also overkill. It should probably refresh a maximum of once per every 15 minutes or similar, just to avoid pointlessly hammering the TUF repo.