Ensure Sigstore CLI on downloads server is >= 3.6.2 and < 4

[hugovk]

During the 3.15.0a1 release, after the release files had been signed by Sigstore I got this error during the verification:

[14:50:14] ERROR    FAIL:                                           _cli.py:1082
                    /srv/www.python.org/ftp/python/3.15.0/python-3.
                    15.0a1-macos11.pkg
           ERROR    Did not find one Rekor key in trusted root.     errors.py:41
                    For detailed error information, run sigstore
                    with the `--verbose` flag.

This was fixed in Sigstore 3.6.2: sigstore/sigstore-python#1350

I upgraded my version of sigstore on the downloads server from 3.5.3 to 3.6.6 (the latest 3.6.x, and the latest 3.x that's <4) and it then worked.

So let's adjust the "Checking Sigstore CLI" pre-check which runs at the start of the whole release, so instead of checking >=3, it checks >= 3.6.2 and <4.

This original >=3 check was added in #194.

---

We also have a second sigstore version check later on.

It's part of add_to_pydotorg.py, which runs on the downloads server, and does the actual signing/verifying/uploading.

This was added in #167.

I didn't change this to also check >= 3.62, < 4. In fact, I think we could remove it because we have the pre-check above?

[hugovk]

I didn't change this to also check >= 3.62, < 4. In fact, I think we could remove it because we have the pre-check above?

@sethmlarson Thoughts on this?