new bundle verifier: clarify supported CheckOpts combinations (identities + SigVerifier) to avoid policy option conflicts

[1seal]

hi maintainers,

i’m trying to confirm whether a small fix/guardrail PR is desired here, or whether the current behavior is effectively unreachable and can be left as-is.

pins:

• repo: https://github.com/sigstore/cosign
• commit: 03be625
• callsite: pkg/cosign/verify.go:199 ((*CheckOpts).verificationOptions())

what i’m seeing:
(*CheckOpts).verificationOptions() can construct a policy option mix that sigstore-go rejects (e.g., WithCertificateIdentity(...) + WithKey()), resulting in an error like:
can't use WithKey while using WithCertificateIdentity

however:
in current cosign CLI flows for the new bundle verifier, this exact combination may be unreachable (for example, verify-attestation rejects --certificate when --new-bundle-format is enabled).

could you confirm one of the following:

• is there a supported/public entrypoint (library API usage) where callers may legitimately set both identities and a non-nil SigVerifier for new bundle verification?
• if yes: would you prefer we (a) fail fast with a clearer error when that mix is provided, or (b) avoid constructing the conflicting mix internally?
• if no: would you prefer we document that this mix is unsupported/unreachable and skip a PR?

thanks,
oleh