Support downloading verified wheels

[webknjaz]

Currently, the README (and the PyPI docs) show using pypi-attestations verify to verify dists from PyPI. This downloads them into a tmp dir and throws them away. But what if I wanted to keep the dist? I think it'd be useful to have an option that places the verified dir into a target directory before getting rid of the tmp dir.

I can imagine a scenario where I'd want to verify a dist and then pip install it. It seems reasonable to me to keep the dist on disk in such case.

Although, when installing trees of deps, I'd probably still have to pip download everything, pypi-attestations verify each and then pip install --no-index from that wheelhouse.

Thoughts?

[facutuesca]

Mm I don't know if overloading the verify command to also download distributions for installation is the right thing to do here.

In the context of installing a dist, an important part of what pip install does is choosing the correct wheel for the current OS, architecture, etc. But if we make verify download wheels meant for installation, we make the user responsible for making this choice (should they download the manylinux2010 wheel or the manylinux2014 one?, etc).

If the end goal is to verify wheels that are about to be installed, I would prefer that the user downloads them via pip download (in order to get the right wheels), and then they can verify and install them.