Support url-per-key in Keyring

[jku]

Description

• trusted_root.json contains urls for each rekor key: this makes sense since the point is to be able to have multiple logs.
• same goes for fulcio (although only one instance should be "active" at any point)
• Currently the URLs are hard coded in sigstore-python: this prevents "choosing your instance" by providing a trusted_root.json
• We should use the URLs in trusted_root.json instead

My hand wave design at this point is that Keyring should store URL-key pairs instead of just keys. That way e.g. RekorClient can make requests to the correct place for each key.

Assuming that #844 is merged at some point, it probably makes sense for the trust root class to return Keyrings directly.

There is an added complexity in signing as the OAuth (dex) url is also hard coded... It probably should be in trusted_root.json but it currently is not

[jku]

#844 is merged:

• this url-per-key system can now be implemented
• this likely means we can simplify how some components are initialized: e.g. RekorClient possibly doesn't need different constructors for staging and production: just a single RekorClient.from_trust_root(root: TrustedRoot) should do (because the trust root contains all information about staging/prod)

[woodruffw]

• ust a single RekorClient.from_trust_root(root: TrustedRoot) should do (because the trust root contains all information about staging/prod)

Works for me -- I believe RekorClient is still a private API, so we can do this without any compatibility/public API changes whatsoever.