Verify with self-signed certificate?

[tri-adam]

We need to discuss what should happen when a self-signed certificate is passed to singularity verify. As discussed in #1160 (comment), my gut instinct is that Singularity should either:

• Not accept a self-signed cert unless it is a trust anchor (present in the system pool, etc.), or
• Accept it only if the user has specified this as the desired behaviour.

As an example of how this is handled elsewhere, wget --no-check-certificate allows a self-signed cert to be used. That being said, its documentation actually recommends the first approach for self-signed certs:

For self-signed/internal certificates, you should download the certificate and verify against that instead of forcing this insecure mode.

Depending on how we decide to handle this situation, it may or may not be in scope for Singularity. I'm also not positive that it isn't already possible to handle this use case by specifying --certificate <self-signed> --certificate-roots <self-signed>. If that works, the solution may be documentation, or a flag to make that more user friendly.

Looking for opinions and options!