sigsum-verify: Provide a way to specify parameters on command-line instead of via files?

The --key and --policy parameters takes files as arguments. This makes for a somewhat poor one-shot user experience if you are, for example, verifying an artifact that you just downloaded. It would be simpler to provide a way to specify both parameter values on the command-line, somehow.

For --key this would be simple: extend it to also accept a SSH-style public key string, or add a new --key-string parameter that accepts a SSH-style public key string.

For --policy the solution is less obvious to me since the files contain a lot of data. Perhaps using named policies or policy-via-indirection would be acceptable? I'm thinking something like this:

sigsum-verify \
--key-string="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE" \
--policy-url=https://www.gnu.org/software/inetutils/inetutils-sigsum-trust-policy.txt
inetutils-2.6.tar.gz.proof < inetutils-2.6.tar.gz

Or if you want to integrity protect the trust policy, also add an expected checksum of the downloaded file, like this:

sigsum-verify \
--key-string="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE" \
--policy-url=https://www.gnu.org/software/inetutils/inetutils-sigsum-trust-policy.txt
--policy-sha256=20dd5ea141e2f5e6fd9e409e44e1f916691d4ca5d0fe198e3349978c2d8b33f2
inetutils-2.6.tar.gz.proof < inetutils-2.6.tar.gz

Which would make it only use the trust file if it matches a particular checksum.

Or something, just some ideas.