Allow specifying the verification mode: online, offline, fallback

[hectorj2f]

Description

Cosign v2 is planning to add new flags that will allow specifying the expected verification mode, e.g.

--rekor-verification={offline,fallback,online,insecure} (default fallback)
--sct-verification={offline,fallback,online,insecure} (default fallback; replaces --enforce-sct flag)
--tsa-verification={offline,fallback,online} (default fallback)

Our CIP API definition should be able to handle these new verification modes to mimic these cosign changes. At the moment, the proposed changes in https://github.com/sigstore/cosign/issues/2466 are not already done in the upstream. Therefore we should consider waiting until these changes are part of more stable releases before adapting our API.

More info here: https://github.com/sigstore/cosign/issues/2466

[znewman01]

That issue is a little confusing; it just tracks adding some test cases, which are already in.

As part of that discussion, we discuss improving the APIs/CLI for verification modes in this manner. But that probably won't happen pre-2.0. So no rush on this for compatibility.

[hectorj2f]

@znewman01 Yes, that makes sense 👍🏻. I assumed that will happen once v2 is released or even later.