Add more complex TUF tests (#4003)

Add tests for invalid keys, custom metadata, and TSA verification.

These tests do not test the signing flow for when Fulcio issues a
detached SCT, which can be affected by the TUF client, because the
ephemral CA Fulcio backend cannot issue detached SCTs.

Signed-off-by: Colleen Murphy <[email protected]>