[series/3.6.x] Better error when verifying rekorv2 entries

CHANGELOG.md

@@ -8,6 +8,13 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [3.6.6]
+
+### Changed
+
+* Improved error message when verifying bundles with rekor v2 entries
+  ([#1565](https://github.com/sigstore/sigstore-python/pull/1565))
+
 ## [3.6.5]
 
 ### Fixed

sigstore/__init__.py

@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "3.6.5"
+__version__ = "3.6.6"

sigstore/models.py

@@ -415,6 +415,27 @@ def diagnostics(self) -> str:
         )
 
 
+class IncompatibleEntry(InvalidBundle):
+    """
+    Raised when the log entry within the `Bundle` has an incompatible KindVersion.
+
+    The common case is a Rekor v2 entry.
+    """
+
+    def diagnostics(self) -> str:
+        """Returns diagnostics for the error."""
+
+        return dedent(
+            f"""\
+        The provided bundle contains a transparency log entry that is incompatible with this version of sigstore-python. Please upgrade your verifying client.
+
+        Additional context:
+
+        {self}
+        """
+        )
+
+
 class Bundle:
     """
     Represents a Sigstore bundle.
@@ -513,6 +534,11 @@ def _verify(self) -> None:
             raise InvalidBundle("expected exactly one log entry in bundle")
         tlog_entry = tlog_entries[0]
 
+        if tlog_entry.kind_version.version != "0.0.1":
+            raise IncompatibleEntry(
+                f"Expected log entry version 0.0.1, got {tlog_entry.kind_version.version}"
+            )
+
         # Handling of inclusion promises and proofs varies between bundle
         # format versions:
         #