non-compliant keyids

[jku]

Description

The keyids used by tuf-on-ci work with currently tested clients but

• the keyids are not actually compliant (spec currently requires the keyid to be computed from the key contents)
• as a result sigstore-rs (through awslabs/tough) does not work with root v8

This was fixed a while ago already in tuf-on-ci (theupdateframework/tuf-on-ci#292) so any new keys will be ok out-of-the-box but I dropped the ball on getting the fixes into this repository. Let's fix that.

The goal is:

• Create new versions of all metadata, change the keyids to compliant ones
• make sure we end up with signatures from both keyids in root case: root threshold has to be reached by both old keys and new keys (even if they happen to be the same actual key, just with different keyid)
• signers sign these changes
• root version v8 will remain non-compliant: sigstore-rs needs to bootstrap from v9

I will do a PR

[jku]

Notes on PR:

• as mentioned, the only complication is that the new root needs to be signed by "old" and "new" keyids -- even though they are the same key. This should just happen without any special action from the signers
• the diff looks more complicated than it is because the keys get reordered in json: in reality only the keyids change

[kommendorkapten]

Makes sense!