Validation for online-sign and build-repository

[jku]

I would like online sign and build-repository to do more data validation:

• online-sign should check that targets metadata is valid and artifacts are found
  (note that delegated targets may be allowed to be expired)
• build-repository should check that all metadata and artifacts are valid
  • this should include checking that root versions in root_history/ are valid -- although care needs to be taken since potentially some imported root metadata is not valid according to tuf-on-ci (see e.g. sigstore root-signing)
• as an additional check could test that the keyids are compliant (since python-tuf does not do that, see Fix noncompliant keyids #338)

There is a CIRepository._validate_role() but that is very focused on the signing event use case: in particular it expects there to be a "previous repository version" (self.open_prev() opens that version of a specific metadata) which only makes sense in a signing event.

Possibly we can make a more generic validate_role() and a more specific validate_signing_event_role() that uses the generic method but does the comparison to previous version as well.

[jku]

• check that root.json matches root_history/{version}.root.json, and that it is the highest version in root_history/