Update or move away from the github.com/theupdateframework/go-tuf indirect

[codingllama]

Specifically the "v0" of TUF (current is v0.7.0), as it is plagued by various vulnerabilities that are only patched in TUF v2.

TUF v0 is pulled as an indirect of various sigstore dependencies, none of which we have ways to update today.

$ git rev-parse HEAD
c6cc4156d25a9742db8861ca243e093e5f6964c1
$ go mod graph | grep ' github.com/theupdateframework/go-tuf@'
github.com/gravitational/teleport github.com/theupdateframework/go-tuf@v0.7.0
github.com/sigstore/cosign/v3@v3.0.4 github.com/theupdateframework/go-tuf@v0.7.0
github.com/sigstore/sigstore@v1.10.4 github.com/theupdateframework/go-tuf@v0.7.0
github.com/sigstore/sigstore-go@v1.1.4 github.com/theupdateframework/go-tuf@v0.7.0
github.com/sigstore/rekor@v1.5.0 github.com/theupdateframework/go-tuf@v0.7.0
github.com/sigstore/rekor-tiles/v2@v2.0.1 github.com/theupdateframework/go-tuf@v0.7.0

• https://pkg.go.dev/vuln/GO-2026-4348
• https://pkg.go.dev/vuln/GO-2026-4349
• https://pkg.go.dev/vuln/GO-2026-4377

Note that, in release branches, an update of TUF v2 is also needed (blocked by Go 1.25).