Verify sigstore bundles with a public key

[apyrgio]

Description

I see in cosign and sigstore-rs that there's the ability to verify a sigstore bundle with a public key. Is this something that sigstore-python plans to offer as a feature?

[woodruffw]

Hi @apyrgio, thanks for the issue!

Supporting "bare" public keys isn't an immediate priority for this client: the Sigstore client specifications around long-term keys (versus identity-based signing) aren't as clear, and this client mostly aims to follow the specs strictly.

I'll keep this open, but there's no immediate timeline (much less design plan) for this.

[apyrgio]

Good to know, thanks!