Require embedded SCT on verification by default

[haydentherapper]

Description

Currently, SCT verification happens on:

• Signing, either by checking an embedded SCT (public good Fulcio) or a detached SCT returned in a header. It's skipped if an insecure flag is provided
• Verification, if either the enforce-sct flag is set or if an embedded SCT is present.

Signing is good - Always check, unless you explicitly provide an insecure flag. However, for verification, you must present a flag to require the check, which is not ideal - This was added because previously issued certificates did not include an embedded SCT and the Cosign metadata did not include a way to persist the detached SCT.

I propose:

1. We require that an SCT be embedded or explicitly provided for the detached case. For the detached case, we could either add new annotation metadata, or simply require it be passed by flag. Given the detached case is only for private deployments, I would probably go with flag for now.
2. We remove the enforce-sct flag and leverage an insecure flag to skip the check on verification.

This would be a part of Cosign 2.0, since it's a breaking change.

Code:

• cosign/pkg/cosign/verify.go

  Lines 204 to 215 in d795dcb

  	if co.EnforceSCT && !contains {
  	return nil, &VerificationError{"certificate does not include required embedded SCT"}
  	}
  	if contains {
  	// handle if chains has more than one chain - grab first and print message
  	if len(chains) > 1 {
  	fmt.Fprintf(os.Stderr, "**Info** Multiple valid certificate chains found. Selecting the first to verify the SCT.\n")
  	}
  	if err := ctl.VerifyEmbeddedSCT(context.Background(), chains[0]); err != nil {
  	return nil, err
  	}
  	}

• cosign/cmd/cosign/cli/options/certificate.go

  Line 77 in d795dcb

  cmd.Flags().BoolVar(&o.EnforceSCT, "enforce-sct", false,