rekor v2 considerations #729
Description
- sigstore public good instance already runs a rekor v2 service
- in the near future this will be recommended to be used when signing
- at some significantly later point the rekor v1 instance will become read-only
rekorv2 entries cannot be verified by clients that are not yet rekorv2 compatible. As gitsign seems to use an old cosign version, this does not really affect gitsign right now, but once the upgrade is made (see #537) you may want to force rekor v1 for a while (to give users time to upgrade their verifier clients before rekor v2 entries start appearing)