TUF: Support option to reference mirror during verification/signing

[haydentherapper]

Description

Currently, cosign initialize is the only way to update BYO TUF metadata. If the TUF metadata is out of date on verification/signing, then cosign will fetch the updated TUF metadata from the hosted GCS bucket.

One option would be to move mirror and root to global flags, so that these could be used with any cosign command. The TUF client would need to be refactored to look for these flags when updating TUF metadata.

#1288 improves UX for this issue, so that the flag values don't have to be passed with each invocation.

cc @asraa

[asraa]

Just adding some more context:

then cosign will fetch the updated TUF metadata from the hosted GCS bucket.

This is because of the default fallback. It's kind of questionable on whether we want to fallback gracefully or fail when your cache is expired or corrupt

[haydentherapper]

Adding support for this will also allow cosign to support BYO TUF with no disk writes (SIGSTORE_NO_CACHE), since the TUF client would use the mirror to fetch TUF metadata/targets, and then those would be persisted in-memory.

[rgerganov]

It'd be also nice if cosign is keeping the mirror URL which is passed on cosign initialize and tries to update from it when the local cache has expired.