CLI targets add command does not handle failed password

[dennisvang]

Describe the bug

When adding a target, if a private key is password protected and we enter the wrong password, signing fails, leaving the repo in an invalid state.

Workaround

Luckily the workaround is simple:

run the command again, this time enter the correct password

However, this should be handled properly.

To Reproduce
make sure at least one of the relevant private keys is password protected, then add a target, e.g.:

tufup targets add --skip-patch 1.2.3 my_dist my_keystore

and enter an invalid password

Expected behavior

• either request password again,
• or fail, but roll back any changes that have been made (remove archive file and remove corresponding entry in targets.json, if any)

Observed behavior

cli command fails with

securesystemslib.exceptions.CryptoError: Decryption failed.

but the new archive file remains in the repository/targets directory