Issue Description

The purpose of this issue is to kindly ask whether listing securesystemslib[crypto] as a dependency would improve the out-of-the-box experience with python-tuf.

I noticed that pip3 install tuf did not upgrade the pre-existing, old cryptography==3.4.8 present in a standard python installation. (The exact situation is an AWS Ubuntu 22.04 machine where python3 comes pre-installed with cryptography==3.4.8.) A more recent version like cryptography>=37.0.0 is required to perform a tuf.ngclient.Updater.download_target operation.

cryptography>=37.0.0 is listed as a dependency of the custom install securesystemslib[crypto] of securesystemslib, but not for the base install. Unfortunately, tuf==3.1.0 only mentions securesystemslib[crypto] in requirements/main.txt, but not as a dependency in pyproject.toml.

Reproduce issue

The issue becomes evident during signature verification processes, where the older cryptography library cannot correctly handle the signatures. Here are relevant snippets from the logs:

# create dirs  
mkdir -p ~/.tuf_import_error_issue/metadata ~/.tuf_import_error_issue/tmp  
# get root.json  
curl -o ~/.tuf_import_error_issue/metadata/root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json  

Please find attached the python file which generates the error and its logs below. You should be able to run the python script from anywhere as it has the paths indicated above hard-coded for this example.
tuf_import_error_issue.py.txt

Logs

DEBUG - tuf/ngclient/_internal/trusted_metadata_set.py:98 - Updating initial trusted root  
  
INFO - securesystemslib/signer/_key.py:429 - Key xyz...123 failed to verify sig: 'pyca/cryptography' library required  
  
INFO - tuf/api/metadata.py:744 - Key xyz...123 failed to verify root  
...  
tuf.api.exceptions.UnsignedMetadataError: root was signed by 0/3 keys  

Summary

• python-tuf lists securesystemslib>=0.26.0 as a dependency but does not specify that it should include the [crypto] extras.
• When an outdated version of the cryptography library is already installed, installing python-tuf does not prompt an upgrade to meet securesystemslib[crypto]'s requirements, leading to potential signature verification issues.
• Kindly consider including securesystemslib[crypto] as a direct dependency for python-tuf. This change would ensure that the necessary cryptography version is installed or upgraded during python-tuf's installation, mitigating issues related to outdated dependencies and improving the out-of-the-box security and reliability of python-tuf, especially in environments where dependency management is crucial.

I appreciate that managing dependencies is a delicate balance and I am curious to hear your thoughts. Please let me know if there is any further information I could help with.