Add a command to update `trusted_root.json` without verifying anything

[mgorny]

Description

I'm sorry if I'm missing something but FWICS the only way to update trusted_root.json right now is to actually perform a verification. Could you please consider adding a "pure" update command, that would only update trusted_root.json and indicate whether the update was successful via exit status?

This would be part of Gentoo sigstore deployment, where we'd like to separately update the trust root in an online environment, and then deploy it to offline environments.

[woodruffw]

I'm sorry if I'm missing something but FWICS the only way to update trusted_root.json right now is to actually perform a verification. Could you please consider adding a "pure" update command, that would only update trusted_root.json and indicate whether the update was successful via exit status?

Thanks for the report. Your understanding is correct, the only current way to update the trust root is to perform an initial online operation, which will perform an update in the process.

Adding a plumbing level command that just updates the trust root and supplies an exit code makes a lot of sense to me; I'll look into that.