fix(deps): make uv install resolve without prereleases

Upgrade the sigstore requirement to v4 so ggshield no longer pulls sigstore 3's sigstore-protobuf-specs dependency, which requires pre-release betterproto versions that uv rejects by default.

Update the PyInstaller bundle smoke-check paths for sigstore 4 package data.

Author: clement-tourriere

changelog.d/20260429_093600_fix_sigstore_uv_install.md

@@ -0,0 +1,3 @@
+### Fixed
+
+- Fixed `uv tool install ggshield` resolution by requiring sigstore 4, avoiding sigstore 3's transitive pre-release dependency on `betterproto`.

pyproject.toml

@@ -45,7 +45,7 @@ dependencies = [
     "pyyaml~=6.0.1",
     "requests~=2.32.0",
     "rich~=13.0",
-    "sigstore>=3.0.0,<4",
+    "sigstore>=4.0.0,<5",
     "typing-extensions~=4.14",
     "urllib3>=2.2.2,<3",
     "truststore>=0.10.1; python_version >= \"3.10\"",

scripts/build-os-packages/build-os-packages

@@ -269,11 +269,12 @@ argument in step_build and re-run."
 
     # Layer 2: structural assertions for known package-data files. Each
     # entry below was added because we caught (or want to prevent) a
-    # silent-drop bug. Append, don't replace.
+    # silent-drop bug. Keep paths in sync with dependency package-data layouts.
     local required_paths=(
-        # sigstore TUF bootstrap roots — missing these breaks Verifier.production()
-        "_internal/sigstore/_store/prod/root.json"
-        "_internal/sigstore/_store/prod/trusted_root.json"
+        # sigstore TUF bootstrap roots/config — missing these breaks Verifier.production()
+        "_internal/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json"
+        "_internal/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json"
+        "_internal/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/signing_config.v0.2.json"
     )
     local rel
     for rel in "${required_paths[@]}" ; do