Forward port entry kindversion error improvement, bump version to 4.1.0 (#1569)

jku · web-flow · commit 3447f9603cfa · 2025-10-11T12:45:22.000Z
* models: Forward-port the entry kind version error improvement This is a forward port of #1565 to future proof the error message. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * Changelog: Update for 4.1.0 Add missing entries, also add the 3.6.6 changelog from series/3.6.x Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * Bump version to 4.1.0 Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> --------- Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,28 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [4.1.0]
+
+### Added
+
+* cli: Support using other Sigstore instances with `--instance URL`.
+  New instances are trusted with new top level command `trust-instance ROOTFILE`.
+  [#1548](https://github.com/sigstore/sigstore-python/pull/1548)
+
+### Changed
+
+* Added cryptography 46 to list of compatible cryptography releases
+  ([#1544](https://github.com/sigstore/sigstore-python/pull/1544))
+* Improved error message when verifying bundles with unsupported log entry versions
+  ([#1569](https://github.com/sigstore/sigstore-python/pull/1569))
+
+### Fixed
+
+* cli: Always read/write UTF-8. This fixes an issue on Windows where the platform
+  default encoding was used: the issue has existed for a while, but became more visible
+  with signature bundles that contain rekor2 entries.
+  [#1553](https://github.com/sigstore/sigstore-python/pull/1553)
+
 ## [4.0.0]
 
 This is a major release with a host of API and functionality changes. The major new feature
@@ -76,6 +98,14 @@ is Rekor v2 support but many other changes are also included, see list below.
 * verify: Handle unset TSA timestamp validity end
   [#1368](https://github.com/sigstore/sigstore-python/pull/1368)
 
+## [3.6.6]
+
+### Changed
+
+* Improved error message when verifying bundles with rekor v2 entries
+  ([#1565](https://github.com/sigstore/sigstore-python/pull/1565))
+* Added cryptography 46 to list of compatible cryptography releases
+  ([#1566](https://github.com/sigstore/sigstore-python/pull/1566))
 
 ## [3.6.5]
 
diff --git a/sigstore/__init__.py b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "4.0.0"
+__version__ = "4.1.0"
diff --git a/sigstore/models.py b/sigstore/models.py
@@ -325,6 +325,25 @@ def diagnostics(self) -> str:
         )
 
 
+class IncompatibleEntry(InvalidBundle):
+    """
+    Raised when the log entry within the `Bundle` has an incompatible KindVersion.
+    """
+
+    def diagnostics(self) -> str:
+        """Returns diagnostics for the error."""
+
+        return dedent(
+            f"""\
+        The provided bundle contains a transparency log entry that is incompatible with this version of sigstore-python. Please upgrade your verifying client.
+
+        Additional context:
+
+        {self}
+        """
+        )
+
+
 class Bundle:
     """
     Represents a Sigstore bundle.
@@ -426,6 +445,11 @@ def _verify(self) -> None:
             raise InvalidBundle("expected exactly one log entry in bundle")
         tlog_entry = tlog_entries[0]
 
+        if tlog_entry.kind_version.version not in ["0.0.1", "0.0.2"]:
+            raise IncompatibleEntry(
+                f"Expected log entry version 0.0.1 - 0.0.2, got {tlog_entry.kind_version.version}"
+            )
+
         # Handling of inclusion promises and proofs varies between bundle
         # format versions:
         #
