Add note regarding API compatibility when using signing config (#528)

As discussed in the Go meeting today, we want developers to be aware of
the consequences of using a signing config and always selecting the
highest API version, which may lead to verifiers unable to verify.

Signed-off-by: Hayden <[email protected]>
Co-authored-by: Hayden <[email protected]>

Author: haydentherapper

examples/sigstore-go-signing/main.go

@@ -138,6 +138,12 @@ func main() {
 			log.Fatal(err)
 		}
 	} else {
+		// Note to developers: When fetching services from the public-good instance's
+		// SigningConfig, you may retrieve a service with a higher API version than
+		// clients that verify support, e.g. uploading to Rekor v2, but verifying with
+		// a client that only supports Rekor v1. If you are not able to keep verifying
+		// clients up-to-date, you may want to select specific API versions when calling
+		// root.SelectService.
 		signingConfig, err = root.GetSigningConfig(stagingTUFClient)
 		if err != nil {
 			log.Fatal(err)