upgrade to sigstore-python 4.0

[jku]

This should not be that technically difficult but there are some complications:

• As mentioned in sigstore 4.0 upgrade details pypa/gh-action-pypi-publish#383 the upgrade has implications later on when rekorv2 is added to the sigstore signingconfig: new log entries will then come from rekorv2, and older clients will be unable to verify them
• Drop sigstore_protobuf_specs #131

[jku]

I can take a look at making a PR, it would probably be useful for me to know how this project works...

EDIT: william has a PR already: #132, I will have a look at that instead

[jku]

I've posted a link in the PR to a commit that contains the 4.0 upgrade but does not contain rekorv2 support as I only now realised that that requires updating the annotation format (timestamps are needed)