cosign verify message has hardcoded fulcio reference

[vEpiphyte]

Description

When using a bring your own PKI scenario ( using notes from from #1554 ), cosign verify produces a hardcoded reference to the Fulcio roots, despite the fulcio roots not being used.

Here is an example (using cosign v1.13.1 ):

$ COSIGN_EXPERIMENTAL=1 SIGSTORE_ROOT_FILE=./keys/cas/fullchain.pem cosign verify --rekor-url="" repo/someImage:myTag -a foo=bar
The verify gives me the following output:
The following checks were performed on each of these signatures:
  - The specified annotations were verified.
  - The cosign claims were validated
  - Any certificates were verified against the Fulcio roots.  <---------- This line is misleading

I would expect certificate verification to possibly include the name of the CA names from the fullchain.pem file? But hard coding the fulcio reference when fulcio isn't used does not feel correct.

This value is hardcoded here https://github.com/sigstore/cosign/blob/v1.13.1/cmd/cosign/cli/verify/verify.go#L231 and the prior function notes it needs to be refactored to have some better awareness of verification so it can pass that information along.

I do not know if any of this has changed in the v2 / main code.

Version

$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.13.1
GitCommit:     d1c6336475b4be26bb7fb52d97f56ea0a1767f9f
GitTreeState:  clean
BuildDate:     2022-10-17T18:00:05Z
GoVersion:     go1.19.2
Compiler:      gc
Platform:      linux/amd64