For internal, red-hat-development usage, I would like to be able to opt out of the sigstore signing requirement so that I can test legitimate release images that have not been signed via sigstore, for example in CI workflows. 

As this story is for dev-only usage, this should not go in the install config. Presumably this would be an environment variable (which should be prefixed with OPENSHIFT_INSTALL). 

When the environment variable (or whatever) is set, an override will be placed in the CVO manifest, as described in the enhancement:

kind: ClusterImagePolicy
group: config.openshift.io
name: openshift
unmanaged: true 

CVO override logic can be found here: https://github.com/openshift/installer/blob/fdd2095b517562f75714a849a169d294bdfe087d/pkg/asset/ignition/bootstrap/cvoignore.go#L96-L106