feat(verfication): trusted root fetch command

[brandtkeller]

Description

This implements a zarf tools trusted-root create command to retrieve the Trusted Root via TUF (The Update Framework).

This mirrors cosign as opposed to embedding the cobra command directly as documented in the code.

This will then allow us to reliably and reproducibly fetch the trusted root for either embedding in zarf AND/OR external users getting an update trusted root under the circumstances they cannot upgrade to a Zarf version containing the updated embedded certificate.

More details can be found in #4289 - this trusted root will only be used for non-key signing verification.

Related Issue

Fixes #4570

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs ready!

Name	Link
🔨 Latest commit	9b44f28
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/69e7dd0ca21f0f00081b1640
😎 Deploy Preview	https://deploy-preview-4829--zarf-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 75.94937% with 19 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/cmd/tools_trustedroot.go	75.64%	18 Missing and 1 partial ⚠️

Files with missing lines	Coverage Δ
src/cmd/tools.go	91.17% <100.00%> (+0.26%)	⬆️
src/cmd/tools_trustedroot.go	75.64% <75.64%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[soltysh]

lgtm