sigstore-rs may be incompatible with root-signing again

[jku]

See sigstore/root-signing#1431: We (root-signing) may have done the same mistake as happened previously:

• a "keyid" in the tuf repository was not updated when the key content was modified
• this was not noticed by root-signing test suite because
  • no other sigstore clients require keyids to match the content
  • there is no sigstore-rs test in the test suite

I've not confirmed this yet but the report looks correct.

[jku]

Note that this only affects the parts of sigstore-rs that actually uses awslabs/tough: I believe that's currently the bundle module only.

[exFalso]

This indeed broke for us, we have a test that detects breaking changes to root-signing. The error we get in particular is:

Invalid key ID 7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c: calculated 0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5 at line 76 column 4

[exFalso]

Is my understanding correct that this check is not actually necessary?