Ensure Sigstore CLI on downloads server is >= 3.6.2 and < 4

[hugovk]

During the 3.15.0a1 release, after the release files had been signed by Sigstore I got this error during the verification:

[14:50:14] ERROR    FAIL:                                           _cli.py:1082
                    /srv/www.python.org/ftp/python/3.15.0/python-3.
                    15.0a1-macos11.pkg
           ERROR    Did not find one Rekor key in trusted root.     errors.py:41
                    For detailed error information, run sigstore
                    with the `--verbose` flag.

This was fixed in Sigstore 3.6.2: https://github.com/sigstore/sigstore-python/pull/1350

I upgraded my version of sigstore on the downloads server from 3.5.3 to 3.6.6 (the latest 3.6.x, and the latest 3.x that's <4) and it then worked.

So let's adjust the "Checking Sigstore CLI" pre-check which runs at the start of the whole release, so instead of checking >=3, it checks >= 3.6.2 and <4.

This original >=3 check was added in https://github.com/python/release-tools/pull/194.

---

We also have a second sigstore version check later on.

It's part of add_to_pydotorg.py, which runs on the downloads server, and does the actual signing/verifying/uploading.

This was added in https://github.com/python/release-tools/pull/167.

I didn't change this to also check >= 3.62, < 4. In fact, I think we could remove it because we have the pre-check above?

[hugovk]

I didn't change this to also check >= 3.62, < 4. In fact, I think we could remove it because we have the pre-check above?

@sethmlarson Thoughts on this?

[hugovk]

I've removed the later check. I plan to merge this before Tuesday's 3.15.0a2.