Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign