sigstore 4.0 upgrade details

[jku]

Filing as heads up: The sigstore-python 4.0 upgrade is a bit more complicated since there are related service changes. I'll add more details here in next day or two but short story is:

• sigstore-python 4.0 contains support for rekor v2 transparency log
• rekor v2 is not yet fully deployed on the public good instance (sigstore.dev) but once it is, sigstore-python 4.0 will start using it (by default) when signing. There is no strict deadline for full deployment but a couple of months is a good guess (the rekor v1 instance will remain usable even after that)
• verifying signature bundles (that were produced with rekor v2) requires sigstore-python 4.0 (or another sigstore client with rekorv2 support)

sigstore-python 3.6.x series is still maintained so there is no rush to upgrade here