fix tuf dependency version

[jku]

There's an issue currently:

• signer depends on tuf ~=3.0
• signer also uses a property Metadata.signed_bytes added in 3.1
• the PR to upgrade tuf is in what feels like an endless limbo (see PR Update tuf version #115 )

That PR has not moved because the new features still needed tweaking which happened in tuf 4.0... which is not usable because other reasons related to sigstore compat.

Options:

• We can still bump the version to 3.1: everything should just work as is, we just won't be using all the new helpers added in 3.1.
• or we can remove the single use of signed_bytes: I believe that's the only accidentally used new feature

I think the version bump makes sense

cc @kommendorkapten

[jku]

securesystemslib 1.0 and tuf 5.0 have released. sigstore is likely happening soon (need to wait for that one because of the common dependency on tuf & securesystemslib)

[joshuagl]

Bump to 3.1 makes sense. Any reason that depending on a minor version should be avoided?

[jku]

Yeah bump to 3.1 makes sense.