[v10 signing] Add client signing configuration

[haydentherapper]

Description

Tracking issue to add the new client signing configuration described in sigstore/protobuf-specs#277 for the next root/target signing

cc @kommendorkapten

[jku]

I am not opposed to another artifact in the repo but I'll mention these downsides so it's clear to everyone:

• sigstore "client api" now includes the new proto. If a client that wants to use this data it needs parse this new file
• sigstore "client api" now includes the targetpath used in the TUF repo
• clients that want to use this data now need to download this targetpath with tuf

These are all reasonable but the last two items specifically are the price we pay for not just adding new optional fields into trusted_root.json.

[haydentherapper]

I was re reading the client notes and I see it’s actually unclear what the decision was on whether or not this should be its own file. @kommendorkapten do you know what the conclusion was?

[kommendorkapten]

@haydentherapper the overall agreement was to add a new file to not break anything for the existing clients.

It's listed here: (third bullet point: SigningConfig URLs from TUF)

New target (signing_config.json [agreed on naming])

As we call the trusted root trusted_root.json, we should call this signing_confg.json IMO.