signer: Make sure initial keyid is spec-compliant

[jku]

Spec demands that keyids be calculated from the keys canonicalized json. This is not that useful and it is a bit of a pain in the butt so most clients don't bother... but it is in the spec.

Make sure the keyids we generate are compliant.

[jku]

I suppose this is ready for review:

• existing keys are not modified
• whenever a custom field is added to a key, keyid is updated: in practice this happens right after a new key is imported/generated
• existing repositories need to "rotate" keys if they want to fix the issue: In practice it's likely easiest to remove keys, then add them as "new" ones

[jku]

Thanks. I'll still take a moment tomorrow to think through fredriks idea (to see if tuf-on-ci-signer would be capable of "fixing" the problem in existing root-signing-staging repo in a single signing event): I think that can be in a different PR but I'll have a look first

[jku]

by complete accident I think the signer might actually work correctly out-of-the box: I'll write some code that updates all the keyids in one go to test this...

[jku]

I will merge this and file a new one for the "fix-noncompliant-keyids" feature: I've got a branch but it's big enough that a new PR is a good idea