Fix --tls-verify

Differentiate, again, between (skopeo --tls-verify subcommand)
and (skope subcommand --tls-verify), by
- using a "local" Corba flag for the (skopeo --tls-verify ...) variant
- adding separate --tls-verify flags to subcommands that only accept
  them as legacy, available through deprecatedTLSVerifyFlags
  (unlike the non-legacy path of dockerImageFlags());
- using TraverseChildren: true; this causes the global and
  per-subcommand flags to be treated separately by Corba,
  i.e. they no longer happen to share the "Hidden" flag
  and Corba actually sets the right flag variable now.

So, we can now warn on (skopeo --tls-verify command) again,
and --help lists the flag correctly (it is hidden at the
global level, and in subcommands like copy that deprecated it,
but visible in subcommands like inspect where it's not deprecated).

NOTE: This removes --tls-verify from (skopeo manifest-digest) and
the three signing commands; it never made sense there. This change
could, in principle, break some users.

Also update man pages to match.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

docs/skopeo-inspect.1.md

@@ -65,6 +65,10 @@ The number of times to retry; retry wait time will be exponentially increased ba
 
 Directory to use to share blobs across OCI repositories.
 
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)
+
 ## EXAMPLES
 
 To review information for the image fedora from the docker.io registry: