Update Root and Targets

[github-actions]

Initializes a new root and targets

[asraa]

Please see #410 and #407 for history. Some things to note that came up before, that you can double-verify

ROOT CONFIGURATION

• We have 10 placeholder signatures on staged/root.json They should be both the [new] and [deprecated] IDs in the verify output.
• We have 5 keys designated for root and targets roles in staged/root.json. These should match the keys in the verify output marked as [new]
• The thresholds for root and targets role is 3 in staged/root.json
• Consistent snapshot is enabled in staged/root.json
• The versions of staged/root.json is 5.
• Expire in 6 months on 2023-04-03

DELEGATIONS

• The revocation.json was bumped to version 2 after a payload change in repository: bump revocation version after length addition #428
• There are no changes to any delegations in this code: previously, rekor.json was staged because of a target removal that affected top-level and the delegation. Fixed in fix: fix targets removal so it doesn't interfere with delegations #414
• We have no delegations designated in staged/targets.json. This is no longer a JSON null noted in Update Root and Targets #410 (review) was fixed in fix: fix null value on delegations roles #415

TARGETS

• The versions of staged/targets.json is 5.
• Expire in 6 months on 2023-04-03: I fixed the target expiration noted in Update Root and Targets #407 (comment) with fix: fix targets expiration regression #409
• We have 5 placeholder signatures on staged/targets.json. These should match the keys in the verify output marked as [new]
• The targets added in staged/targets.json contains custom metadata designating fulcio, rekor, CTFE URI's if applicable.
• Old existing targets are present, and targets are also moved into sub-directories per usage.

SNAPSHOT/TIMESTAMP

• Note the snapshot and timestamp key rotation out of the project-rekor GCP project.
• You can verify the key if you have viewer access to the public keys:

$ gcloud kms keys versions get-public-key 1 --key snapshot --keyring root --location global --project sigstore-root-signing
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF
0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==
-----END PUBLIC KEY-----
$ cat ceremony/2022-10-03/staged/root.json | jq -r .signed.roles[\"snapshot\"].keyids
[
  "45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"
]
$ cat ceremony/2022-10-03/staged/root.json | jq -r .signed.keys[\"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b\"].keyval.public
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF
0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==
-----END PUBLIC KEY-----

[bobcallaway]

verified, LGTM! Thanks @asraa for all the hard work here!

[joshuagl]

This PR LGTM, thank you for all the hard work getting everything in order @asraa!

VERIFIED KEY WITH SERIAL NUMBER 13078778
TUF key ids:
	2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97 [deprecated]
	ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c [new]

VERIFIED KEY WITH SERIAL NUMBER 14470876
TUF key ids:
	eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b [deprecated]
	25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99 [new]

VERIFIED KEY WITH SERIAL NUMBER 15938765
TUF key ids:
	f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb [deprecated]
	f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f [new]

VERIFIED KEY WITH SERIAL NUMBER 15938791
TUF key ids:
	f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209 [deprecated]
	7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b [new]

VERIFIED KEY WITH SERIAL NUMBER 18158855
TUF key ids:
	75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90 [deprecated]
	2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de [new]

Outputting metadata verification at /Users/jlock/Projects/root-signing-ceremony/ceremony/2022-10-03...

Verifying targets.json...
        Contains 0/3 valid signatures from the current staged metadata
        targets version 5, expires 2023/04/03

Verifying root.json...
        Contains 0/3 valid signatures from the current staged metadata
        Contains 0/3 valid signatures from the previous root
        root version 5, expires 2023/04/03

VERIFYING TUF CLIENT UPDATE

Client successfully initialized, updating and downloading targets...
Client updated to...
        root.json version 4, expires 2023/01/12
        timestamp.json version 50, expires 2022/10/17
        snapshot.json version 50, expires 2022/10/24
        targets.json version 4, expires 2023/01/12

[kommendorkapten]

Verify command came out clean.
Manually verified that old and new keys matches up against he verify command, 4.root.json, and that new keys for snapshot and timestamp are staged.