Reconsider the use of the annotation "kind": "dev.cosignproject.cosign/image" as gatekeeper for verify

[Silvanoc]

Description

Commit c5717cb introduced the use of the annotation "kind": "dev.cosignproject.cosign/image" in the index of an exported repository to identify the "target" of a Cosign signature. This annotation acts as a gatekeeper for the verification: if the annotation is missing, the verification will fail.

This approach blocks the possibility of exporting the repository with other tools (like ORAS) and letting Cosign verify the result. But IMO with the approach proposed in issue #4695 the annotation should not be needed.

Following message in the mentioned commit gives a hint on the reason for introducing it:

Add HasLocalBundles() function that auto-detects the signature format
by checking for dev.sigstore.cosign/bundle annotations in the local
OCI layout. If no bundles are found (v2 attached signatures), the
verification falls back to v2 mode automatically.

Disclaimer: I'm a beginner in Cosign, but proficient in the use of OCI technologies.