Support "Bring your own PKI" (BYO PKEI)

[jvanz]

Description

Sigstore protofub specs has the ClientTrustConfig objects. It has all the data required by clients to sign and verify against a Sigstore instance. This data allow clients to perform operations in other Sigstore instances. Like in a air gapped environment. I think sigstore.rs should provide functions to load the data and use it in the client.

To implement that I think the SigstoreTrustRoot struct can be changed allowing users to load the data from a json with the data from ClientTrustConfig and use it in the clients interacting with Sigstore

[jku]

For a bit more background:

• ClientTrustConfig is basically just TrustedRoot and SigningConfig combined (that is, the trust material client needs to verify and the suggested urls client should use to sign, respectively)
• The TUF repository actually provides TrustedRoot and SigningConfig separately
• There's basically two ways to do "BYO PKI" in a sigstore client -- I think it's appropriate to support both. See sigstore-python for example CLI: https://sigstore.github.io/sigstore-python/advanced/custom_trust/:
  1. Allow user to "trust" a new sigstore instance by providing an initial TUF root -- advantage here is that the trust config is now updated automatically.
  2. Allow user to just provide the trusted root and signing config locally -- advantage here is that TUF is not needed and verifying client can operate 100% offline, downside is that the configuration may be out of date. Many clients do this with separate --trusted-root and --signing-config options, sigstore-python went with --trust-config to have a single argument

This issue request seems to be for the second option -- I just wanted to mention the full picture for reference.

[tnytown]

FWIW, we did some work around this in #354, although it's fallen out of sync with the main branch:

sigstore-rs/src/trust/mod.rs

Lines 198 to 223 in d648583

	/// `TrustConfig` manages necessary information necessary to contact and establish
	/// trust in a Sigstore instance.
	///
	/// This type roughly mirrors [`ClientTrustConfig`] from `sigstore-protobuf-specs`.
	///
	/// [`ClientTrustConfig`]: sigstore_protobuf_specs::dev::sigstore::trustroot::v1::ClientTrustConfig
	pub struct TrustConfig<R> {
	pub trust_root: R,
	pub signing_config: SigningConfig,
	}
	impl TryFrom<ClientTrustConfig> for TrustConfig<BundledTrustRoot> {
	type Error = TrustRootError;
	fn try_from(value: ClientTrustConfig) -> Result<Self> {
	let trusted_root = value.trusted_root.ok_or(TrustRootError::BundleMalformed)?;
	let signing_config = value
	.signing_config
	.ok_or(TrustRootError::BundleMalformed)?;
	Ok(TrustConfig {
	trust_root: BundledTrustRoot { trusted_root },
	signing_config,
	})
	}
	}