From 25b75b110cb4173e173476cd88ded741b37c3a98 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 3 Mar 2025 23:22:02 -0500 Subject: [PATCH 01/11] Do not delete tests/x509 on RHEL tests/x509 now provides imports used by tests in other directories, and no longer require pytz. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 110249d..e10429e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -115,7 +115,7 @@ find . -name Cargo.toml -print -delete %if %{with tests} %if 0%{?rhel} # skip benchmark, hypothesis, and pytz tests on RHEL -rm -rf tests/bench tests/hypothesis tests/x509 +rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From 683f73c2b86b3035a407c58d8da331232bc68cc1 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 6 Mar 2025 11:43:48 -0500 Subject: [PATCH 02/11] Modernize Rust macro usage This adds automatically generated licensing data, and bundled provides for vendored dependencies in the RHEL builds. --- python-cryptography.spec | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e10429e..91b85b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -12,7 +12,13 @@ Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, # as well as the Python Software Foundation license for the OS random # engine derived by CPython. -License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +# Rust crate dependency licenses: +# Apache-2.0 +# Apache-2.0 OR MIT +# BSD-3-Clause +# MIT +# MIT OR Apache-2.0 +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0) URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script @@ -71,13 +77,13 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +%cargo_prep -v vendor %endif %if ! 0%{?fedora} @@ -89,9 +95,7 @@ sed -i 's,--benchmark-disable,,' pyproject.toml %pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates -cd src/rust %cargo_generate_buildrequires -cd ../.. %endif @@ -101,6 +105,12 @@ export OPENSSL_NO_VENDOR=1 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if ! 0%{?fedora} +%cargo_vendor_manifest +%endif + %install # Actually other *.c and *.h are appropriate @@ -139,6 +149,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD +%license LICENSE.dependencies +%if ! 0%{?fedora} +%license cargo-vendor.txt +%endif %changelog From f06f4c280408a86ae39f4a942bc6b2d46038b84f Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 19 May 2025 10:49:48 -0400 Subject: [PATCH 03/11] Update to v45.0.2 This update includes two backwards-incompatible changes with v44: - Made SSH private key loading more consistent with other private key loading: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised). - The :meth:`VerifiedClient.subject ` property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension. Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst --- .gitignore | 2 ++ 12091.patch | 34 ---------------------------------- python-cryptography.spec | 6 +----- sources | 4 ++-- 4 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 12091.patch diff --git a/.gitignore b/.gitignore index ea7f662..6778d54 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ /cryptography-43.0.0-vendor.tar.bz2 /cryptography-44.0.0.tar.gz /cryptography-44.0.0-vendor.tar.bz2 +/cryptography-45.0.2.tar.gz +/cryptography-45.0.2-vendor.tar.bz2 diff --git a/12091.patch b/12091.patch deleted file mode 100644 index 96ef95a..0000000 --- a/12091.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 -From: Johan Andersson -Date: Tue, 3 Dec 2024 00:43:31 +0100 -Subject: [PATCH] build: remove cargo.toml files from wheels - ---- - pyproject.toml | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/pyproject.toml b/pyproject.toml -index 4266e3bd5ba4..0378e78815e3 100644 ---- a/pyproject.toml -+++ b/pyproject.toml -@@ -101,15 +101,17 @@ include = [ - "src/_cffi_src/**/*.c", - "src/_cffi_src/**/*.h", - -- "**/Cargo.toml", -- "**/Cargo.lock", -+ "Cargo.toml", -+ "Cargo.lock", -+ "src/rust/**/Cargo.toml", -+ "src/rust/**/Cargo.lock", - "src/rust/**/*.rs", - - "tests/**/*.py", - ] - exclude = [ - "vectors/**/*", -- "src/rust/target/**/*", -+ "target/**/*", - "docs/_build/**/*", - ".github/**/*", - ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index 91b85b9..3907b6b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 44.0.0 +Version: 45.0.2 Release: %autorelease Summary: PyCA's cryptography library @@ -25,10 +25,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# Merged for 45.0.0+ -# https://github.com/pyca/cryptography/pull/12091 -Patch: 12091.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel diff --git a/sources b/sources index d10f2cb..c6a4acc 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad -SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b +SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 +SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From adc63ac786ecfec84079d5ecb2ee7d8f6a41b5bd Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Sun, 25 May 2025 12:49:30 -0400 Subject: [PATCH 04/11] Update to v45.0.3 This fixes two issues from v45: - Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). - Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6778d54..4a18b60 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ /cryptography-44.0.0-vendor.tar.bz2 /cryptography-45.0.2.tar.gz /cryptography-45.0.2-vendor.tar.bz2 +/cryptography-45.0.3.tar.gz +/cryptography-45.0.3-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 3907b6b..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.2 +Version: 45.0.3 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index c6a4acc..9fb264e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 -SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 +SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 2fadd7bb9ab0a159e6d5f845cd1d6b922c6d6dab Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 13:37:55 +0200 Subject: [PATCH 05/11] Bootstrap for Python 3.14 --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..27fad32 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 65da927d85a980fe32d693d7f3ae2a5c1703740c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 4 Jun 2025 18:30:16 +0200 Subject: [PATCH 06/11] Rebuilt for Python 3.14 --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 27fad32..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 8034f94f7793712d41c2a2b2b3c55ea6a1c85da1 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 11 Jun 2025 09:31:07 -0400 Subject: [PATCH 07/11] Update to v45.0.4 The upstream release fixes a single issue: - Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) Fixes rhbz #2371350 --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4a18b60..4ad8197 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ /cryptography-45.0.2-vendor.tar.bz2 /cryptography-45.0.3.tar.gz /cryptography-45.0.3-vendor.tar.bz2 +/cryptography-45.0.4.tar.gz +/cryptography-45.0.4-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..ae9b0b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.3 +Version: 45.0.4 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index 9fb264e..e79ea50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 -SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df +SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 22e34bf15083c5690415b1cf16fbbafae1ac0c1e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 07:25:06 +0000 Subject: [PATCH 08/11] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 5e511855936600aa1b4f9108e740cf9ec0265588 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 13:32:38 +0200 Subject: [PATCH 09/11] Rebuilt for Python 3.14.0rc2 bytecode From 5e1fd8e20da2a7587e12bd6ef621c6ac6a6af07b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 13:05:04 +0200 Subject: [PATCH 10/11] Rebuilt for Python 3.14.0rc3 bytecode From 1a3a50b8d38e467b5a9b4422d073bf0b915ba94b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 22 Oct 2025 13:03:41 +0100 Subject: [PATCH 11/11] Drop pytz test req, only needed for py < 3.9 The pytz requirement now is only used for CI for py < 3.9: pytz==2025.2 ; python_full_version < '3.9' Also drop no longer valid comment snippet --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ae9b0b1..16b4d7e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist -BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 %endif @@ -120,7 +119,7 @@ find . -name Cargo.toml -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip benchmark, hypothesis, and pytz tests on RHEL +# skip benchmark and hypothesis tests on RHEL rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py