[series/3.6.x] Better error when verifying rekorv2 entries

[jku]

• Improve error message when verifying with 3.6.x but the bundle contains a rekor v2 entry: Current error is technically correct but not very helpful
• Bump version as well (I can drop this if we don't want to make point release quite yet)

New error looks like this (the format is the same as some existing bundle errors):

ERROR    The provided bundle contains a transparency log entry that is incompatible with
         this version of sigstore-python. Please upgrade your verifying client.

         Additional context:

         Expected log entry version 0.0.1, got 0.0.2

         For detailed error information, run sigstore with the `--verbose` flag.

Fixes #1564.

[jku]

FYI @di we discussed this on friday, it does look like the error could be better here.

[woodruffw]

LGTM!

@jku out of curiosity, do you have thoughts on how long the 3.6.x series should be maintained? My first intuition here is to say that we should stop doing QOL improvements to it pretty soon now that 4.x is released, but I imagine there's still a significant usage tail that we need to move over to 4.x. Curious what you think.

[di]

(we should do the same for the 4.x series as well...)

[di]

@woodruffw, @jku has put together a nice set of client stats here, as expected the 3.x series has a lot of usage (seems like this is mostly due to gh-actions-pypi-publish using this version)

IMO, we mostly just need a 3.x release with a useful error message when verifying newer entries (which this PR resolves). I don't think we need to maintain this series beyond that.

[di]

Bump version as well (I can drop this if we don't want to make point release quite yet)

I think this is fine, I don't think there's anything else we need to get into a 3.x release.

[jku]

@jku out of curiosity, do you have thoughts on how long the 3.6.x series should be maintained? My first intuition here is to say that we should stop doing QOL improvements to it pretty soon now that 4.x is released, but I imagine there's still a significant usage tail that we need to move over to 4.x. Curious what you think.

• QOL changes, I would hope we don't do any after this
• bug fixes or even something like cryptography version pin updates: we may want to do those for a while

Speaking of cryptography version pin bumps: should we do that in 3.6.6 or no? On one hand we would like library users to upgrade to sigstore 4.0 but I also recognise how very annoying a library pinning another library (especially cryptography) is...

[jku]

Speaking of cryptography version pin bumps: should we do that in 3.6.6 or no? On one hand we would like library users to upgrade to sigstore 4.0 but I also recognise how very annoying a library pinning another library (especially cryptography) is...

I will make a PR of that but either way works for me.