From 4a972987f3ca3baeaf6c6419970ffed0f42a2615 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 9 Oct 2025 13:51:19 +0300
Subject: [PATCH 1/3] models: Forward-port the entry kind version error
 improvement

This is a forward port of #1565 to future proof the error message.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 sigstore/models.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/sigstore/models.py b/sigstore/models.py
index 09cfe50f..619c4591 100644
--- a/sigstore/models.py
+++ b/sigstore/models.py
@@ -325,6 +325,25 @@ def diagnostics(self) -> str:
         )
 
 
+class IncompatibleEntry(InvalidBundle):
+    """
+    Raised when the log entry within the `Bundle` has an incompatible KindVersion.
+    """
+
+    def diagnostics(self) -> str:
+        """Returns diagnostics for the error."""
+
+        return dedent(
+            f"""\
+        The provided bundle contains a transparency log entry that is incompatible with this version of sigstore-python. Please upgrade your verifying client.
+
+        Additional context:
+
+        {self}
+        """
+        )
+
+
 class Bundle:
     """
     Represents a Sigstore bundle.
@@ -426,6 +445,11 @@ def _verify(self) -> None:
             raise InvalidBundle("expected exactly one log entry in bundle")
         tlog_entry = tlog_entries[0]
 
+        if tlog_entry.kind_version.version not in ["0.0.1", "0.0.2"]:
+            raise IncompatibleEntry(
+                f"Expected log entry version 0.0.1 - 0.0.2, got {tlog_entry.kind_version.version}"
+            )
+
         # Handling of inclusion promises and proofs varies between bundle
         # format versions:
         #

From 7baf9b7b71a23e0f345d6f5b2e02af679f5bfe57 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 9 Oct 2025 13:47:47 +0300
Subject: [PATCH 2/3] Changelog: Update for 4.1.0

Add missing entries, also add the 3.6.6 changelog from series/3.6.x

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 CHANGELOG.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c9181057..e763cb09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,26 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+### Added
+
+* cli: Support using other Sigstore instances with `--instance URL`.
+  New instances are trusted with new top level command `trust-instance ROOTFILE`.
+  [#1548](https://github.com/sigstore/sigstore-python/pull/1548)
+
+### Changed
+
+* Added cryptography 46 to list of compatible cryptography releases
+  ([#1544](https://github.com/sigstore/sigstore-python/pull/1544))
+* Improved error message when verifying bundles with unsupported log entry versions
+  ([#1569](https://github.com/sigstore/sigstore-python/pull/1569))
+
+### Fixed
+
+* cli: Always read/write UTF-8. This fixes an issue on Windows where the platform
+  default encoding was used: the issue has existed for a while, but became more visible
+  with signature bundles that contain rekor2 entries.
+  [#1553](https://github.com/sigstore/sigstore-python/pull/1553)
+
 ## [4.0.0]
 
 This is a major release with a host of API and functionality changes. The major new feature
@@ -76,6 +96,14 @@ is Rekor v2 support but many other changes are also included, see list below.
 * verify: Handle unset TSA timestamp validity end
   [#1368](https://github.com/sigstore/sigstore-python/pull/1368)
 
+## [3.6.6]
+
+### Changed
+
+* Improved error message when verifying bundles with rekor v2 entries
+  ([#1565](https://github.com/sigstore/sigstore-python/pull/1565))
+* Added cryptography 46 to list of compatible cryptography releases
+  ([#1566](https://github.com/sigstore/sigstore-python/pull/1566))
 
 ## [3.6.5]
 

From aa90f165083306743d6332b2492ba647d91b53a5 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 9 Oct 2025 14:08:23 +0300
Subject: [PATCH 3/3] Bump version to 4.1.0

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 CHANGELOG.md         | 2 ++
 sigstore/__init__.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e763cb09..5b56f77f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,8 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [4.1.0]
+
 ### Added
 
 * cli: Support using other Sigstore instances with `--instance URL`.
diff --git a/sigstore/__init__.py b/sigstore/__init__.py
index 0fcde57b..e61444b1 100644
--- a/sigstore/__init__.py
+++ b/sigstore/__init__.py
@@ -25,4 +25,4 @@
 * `sigstore.sign`: creation of Sigstore signatures
 """
 
-__version__ = "4.0.0"
+__version__ = "4.1.0"