It looks like the embedded TUF root metadata that cosign uses comes from this repository: https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/root.json
(I'm not super familiar with Go or this code base so please correct if that's not right)

This embedded metadata file doesn't have to match the current published repository, but it would make sense to keep it fairly up-to-date: most network traffic on the sigstore TUF repository seems to be cosign instances downloading old root metadata files. Updating the embedded root would decrease the traffic on the repository and improve the cosign user experience.

I'll be filing another issue to improve the process (so it would be easier to keep this file updated in future) but this bug is just about updating the embeddded root to current one from https://github.com/sigstore/root-signing/tree/main/repository/repository .

(EDIT: "bug" might be the wrong label: nothing is strictly speaking broken)