Update sigstore requirement from <5,>=3 to >=4.2.0,<5

[dependabot]

Updates the requirements on sigstore to permit the latest version.

Release notes

Sourced from sigstore's releases.

v4.2.0

This release fixes a minor security issue in OIDC authentication and a compatibility issue with Fulcio Signed Certificate Timestamps. All users are recommended to upgrade.

Fixed

• Add state validation to OIDC flow to prevent Cross-site request forgery during OIDC authorization (GHSA-hm8f-75xx-w2vr)
• verification now ensures that artifact digest documented in bundle and the real digest match (this is a bundle consistency check: bundle signature was always verified over real digest) (#1652)
• Fix issue with Signed Certificate Timestamp parsing where extensions were not allowed by sigstore-python (1657, 1659)

Changed

• Update supported public key algorithms (#1604)
• trust: Update embedded TUF root (#1589)

Removed

• Removed support for Python 3.9 as it is end-of-life (#1645)
• Removed unused nonce in Oauth flow (#1649)

Changelog

Sourced from sigstore's changelog.

[4.2.0]

Fixed

• Add state validation to OIDC flow to prevent Cross-site request forgery during OIDC authorization (GHSA-hm8f-75xx-w2vr)
• verification now ensures that artifact digest documented in bundle and the real digest match (this is a bundle consistency check: bundle signature was always verified over real digest) (#1652)
• Fix issue with Signed Certificate Timestamp parsing where extensions were not allowed by sigstore-python (1657, 1659)

Changed

• Update supported public key algorithms (#1604)
• trust: Update embedded TUF root (#1589)

Removed

• Removed support for Python 3.9 as it is end-of-life (#1645)
• Removed unused nonce in Oauth flow (#1649)

[4.1.0]

Added

• cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

• Added cryptography 46 to list of compatible cryptography releases (#1544)
• Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

• cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553

... (truncated)

Commits

• 94818e4 Release 4.2 (#1670)
• 5e77497 Merge commit from fork
• ae9caa7 build(deps-dev): update ruff requirement from <0.14.14 to <0.14.15 (#1668)
• b1e5095 build(deps): bump github/codeql-action in the actions group (#1669)
• f5feace build(deps): bump the actions group with 2 updates (#1666)
• 802f96b build(deps): bump sigstore/sigstore-conformance from 0.0.24 to 0.0.25 in the ...
• 4ba9ca3 build(deps): bump pyasn1 from 0.6.1 to 0.6.2 (#1662)
• 409fadb build(deps-dev): update ruff requirement from <0.14.13 to <0.14.14 (#1663)
• b1ef51c build(deps-dev): update ruff requirement from <0.14.12 to <0.14.13 (#1658)
• e6cc009 Include SCT extension in signature data (#1659)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)