Post-mortem for regression in 3.5.0

[woodruffw]

Release 3.5.0 had a minor regression which we only noticed after release: handling of "legacy" sigstore bundles (i.e. .sigstore instead of .sigstore.json) was broken by an overly broad check on .crt/.sig inputs.

No other verification flows were affected, including any flows where a user passes the verification materials explicitly rather than discovering them via file suffixes.

Resolution

We released 3.5.1 with a fix.

Improvement items

We should have an integration test that ensures we don't regress on this CLI behavior again.

[woodruffw]

CC @facutuesca could you try and extend our current integration tests to cover this? Should be as simple as ensuring that sigstore verify ... foo.txt continues to work when foo.txt.sigstore (and only .sigstore, not .sigstore.json) is present.