FWIW, this particular piece of information has been outdated for a while: sigstore-python performs zero online log lookups by default if you’re verifying with the “bundle” format (which is what CPython distributes). It will perform an online lookup by default if you pass “detached” inputs, but these are deprecated and you can also explicitly disable online lookups in this case by passing --offline.
TL;DR: If you pass --offline while calling sigstore verify’s subcommands, you will never perform an online log lookup.
(The linked issue has a separate edge case, which is around trust root updates. That’s actually been fixed for months in the APIs as well, but I’ve neglected to update the CLI to plumb those changes through. But this reminded me to, and we have a PR open now that will make zero-network verifications possible: cli: --offline means fully offline by woodruffw · Pull Request #1143 · sigstore/sigstore-python · GitHub).
TL;DR: Starting with the next release, --offline will also mean that sigstore-python performs no automatic trust root updates. You can confirm this yourself (once released) by running it in an un-networked environment, e.g. using eatmynetwork
eatmynetwork sigstore verify identity \
--offline \
--cert-identity "..." \
--cert-oidc-issuer "..." \
some-input.txt
(Our CI test suite also enforces that this behavior remains present.)