Verification using disjoint materials warns about "bare" Sigstore bundle

[sethmlarson]

Description

When verifying disjoint materials (.crt+.sig) with a "bare" Sigstore bundle in the same directory (.sigstore) a warning is displayed about bare bundles being deprecated. This occurs even if the bundle is not specified during verification (this seems like strange behavior?)

$ touch a
$ python -m sigstore sign --signature a.sig --certificate a.crt --bundle a.sigstore a

...

Transparency log entry created at index: 141486578
Signature written to a.sig
Certificate written to a.crt
Sigstore bundle written to a.sigstore

$ python -m sigstore verify identity --cert-identity sethmichaellarson@gmail.com --cert-oidc-issuer https://accounts.google.com --certificate a.crt --signature a.sig a
[16:43:36] WARNING  a: a.sigstore should be named a.sigstore.json. Support for discovering 'bare' .sigstore inputs will be deprecated in a future release.                                          _cli.py:925
OK: a

Rename the file: no warning

$ mv a.sigstore a.sigstore.json
$ python -m sigstore verify identity --cert-identity sethmichaellarson@gmail.com --cert-oidc-issuer https://accounts.google.com --certificate a.crt --signature a.sig a
OK: a

Remove the file: no warning

$ rm a.sigstore.json
$ python -m sigstore verify identity --cert-identity sethmichaellarson@gmail.com --cert-oidc-issuer https://accounts.google.com --certificate a.crt --signature a.sig a
OK: a

Expected behavior is for warning to not be considered if certificate/signature disjoint materials are specified. As far as I can tell from my testing, the bundle is not used during verification at all despite the warning.

Version

$ python --version
Python 3.13.0
$ python -m sigstore --version
sigstore 3.4.0

[woodruffw]

Thanks for the report @sethmlarson! Yeah, this looks like a bug -- we should only warn about the "bare" bundle when actually using it, not if it just happens to be present. I'll look into a fix.