signer: Allow multiple signatures

This makes it possible to sign the same metadata twice:
* currently this is only useful when fixing the keyid compliance issue
  in root (see theupdateframework#292). Basically the user will be asked to sign with
  both the keyid from root N+1 and the keyid from root N.
* there are clear use cases with one signer with multiple keys in
  future (think e.g. key rotation).

signer/tuf_on_ci_sign/_signer_repository.py

@@ -742,12 +742,12 @@ def status(self, rolename: str) -> str:
     def sign(self, rolename: str):
         """Sign without payload changes"""
         md = self.open(rolename)
+        signed = False
         for key in self._get_keys(rolename):
             keyowner = key.unrecognized_fields["x-tuf-on-ci-keyowner"]
             if keyowner == self.user.name:
                 self._sign(rolename, md, key)
-                self._write(rolename, md)
-                return
+                signed = True
 
         # Root is eligible to sign current root if the signer was valid
         # in previous version
@@ -756,10 +756,12 @@ def sign(self, rolename: str):
                 keyowner = key.unrecognized_fields["x-tuf-on-ci-keyowner"]
                 if keyowner == self.user.name:
                     self._sign(rolename, md, key)
-                    self._write(rolename, md)
-                    return
+                    signed = True
 
-        raise ValueError(f"{rolename} signing key for {self.user.name} not found")
+        if signed:
+            self._write(rolename, md)
+        else:
+            raise ValueError(f"{rolename} signing key for {self.user.name} not found")
 
 
 def build_paths(rolename: str, depth: int) -> list[str]: