Drop pytz test req, only needed for py < 3.9

The pytz requirement now is only used for CI for py < 3.9:
pytz==2025.2 ; python_full_version < '3.9'

Also drop no longer valid comment snippet

.gitignore

@@ -1,3 +1,5 @@
+/results_python-cryptography
+/*.src.rpm
 /cryptography-1.3.1.tar.gz
 /cryptography-1.5.3.tar.gz
 /cryptography-1.7.1.tar.gz
@@ -17,3 +19,59 @@
 /cryptography-2.9.tar.gz.asc
 /cryptography-3.0.tar.gz
 /cryptography-3.0.tar.gz.asc
+/cryptography-3.1.tar.gz
+/cryptography-3.1.tar.gz.asc
+/cryptography-3.2.tar.gz
+/cryptography-3.2.tar.gz.asc
+/cryptography-3.2.1.tar.gz
+/cryptography-3.2.1.tar.gz.asc
+/cryptography-3.3.1.tar.gz
+/cryptography-3.3.1.tar.gz.asc
+/cryptography-3.4.tar.gz
+/cryptography-3.4.tar.gz.asc
+/cryptography-3.4.1.tar.gz
+/cryptography-3.4.1.tar.gz.asc
+/cryptography-3.4.2.tar.gz
+/cryptography-3.4.2.tar.gz.asc
+/cryptography-3.4.4.tar.gz
+/cryptography-3.4.4.tar.gz.asc
+/cryptography-3.4.5.tar.gz
+/cryptography-3.4.5.tar.gz.asc
+/cryptography-3.4.6.tar.gz
+/cryptography-3.4.6.tar.gz.asc
+/cryptography-3.4.7.tar.gz
+/cryptography-3.4.7-vendor.tar.bz2
+/cryptography-35.0.0.tar.gz
+/cryptography-35.0.0-vendor.tar.bz2
+/cryptography-36.0.0.tar.gz
+/cryptography-36.0.0-vendor.tar.bz2
+/cryptography-37.0.2.tar.gz
+/cryptography-37.0.2-vendor.tar.bz2
+/cryptography-39.0.2.tar.gz
+/cryptography-39.0.2-vendor.tar.bz2
+/cryptography-40.0.0.tar.gz
+/cryptography-40.0.0-vendor.tar.bz2
+/cryptography-40.0.1.tar.gz
+/cryptography-40.0.1-vendor.tar.bz2
+/cryptography-40.0.2.tar.gz
+/cryptography-40.0.2-vendor.tar.bz2
+/cryptography-41.0.3.tar.gz
+/cryptography-41.0.3-vendor.tar.bz2
+/cryptography-41.0.5-vendor.tar.bz2
+/cryptography-41.0.5.tar.gz
+/cryptography-41.0.7.tar.gz
+/cryptography-41.0.7-vendor.tar.bz2
+/cryptography-42.0.5.tar.gz
+/cryptography-42.0.5-vendor.tar.bz2
+/cryptography-42.0.8.tar.gz
+/cryptography-42.0.8-vendor.tar.bz2
+/cryptography-43.0.0.tar.gz
+/cryptography-43.0.0-vendor.tar.bz2
+/cryptography-44.0.0.tar.gz
+/cryptography-44.0.0-vendor.tar.bz2
+/cryptography-45.0.2.tar.gz
+/cryptography-45.0.2-vendor.tar.bz2
+/cryptography-45.0.3.tar.gz
+/cryptography-45.0.3-vendor.tar.bz2
+/cryptography-45.0.4.tar.gz
+/cryptography-45.0.4-vendor.tar.bz2

README.md

@@ -0,0 +1,59 @@
+# PyCA cryptography
+
+https://cryptography.io/en/latest/
+
+## Packaging python-cryptography
+
+The example assumes
+
+* Fedora Rawhide (f34)
+* PyCA cryptography release ``3.4``
+* Update Bugzilla issue is ``RHBZ#00000001``
+
+### Build new python-cryptography
+
+Switch and update branch
+
+```shell
+fedpkg switch-branch rawhide
+fedpkg pull
+```
+
+Bump version and get sources
+
+```shell
+rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
+spectool -gf python-cryptography.spec
+```
+
+Upload new source
+
+```shell
+fedpkg new-sources cryptography-3.4.tar.gz
+```
+
+Commit changes
+
+```shell
+fedpkg commit --clog
+fedpkg push
+```
+
+Build
+
+```shell
+fedpkg build
+```
+
+## RHEL/CentOS builds
+
+RHEL and CentOS use a different approach for Rust crates packaging than
+Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
+``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
+CentOS. Instead python-cryptography uses a tar ball with vendored crates.
+The tar ball is created by a script:
+
+```shell
+./vendor_rust.py
+rhpkg upload cryptography-3.4-vendor.tar.bz2
+```

changelog

@@ -0,0 +1,248 @@
+* Tue Jul 02 2024 Jeremy Cline <jeremycline@linux.microsoft.com> - 42.0.8-1
+- Update to 42.0.8, fixes rhbz#2251816
+
+* Sat Jun 08 2024 Python Maint <python-maint@redhat.com> - 41.0.7-3
+- Rebuilt for Python 3.13
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 41.0.7-2
+- Bootstrap for Python 3.13
+
+* Thu Feb 01 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 41.0.7-1
+- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Dec 01 2023 Fabio Valentini <decathorpe@gmail.com> - 41.0.5-2
+- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072)
+
+* Thu Oct 26 2023 Christian Heimes <cheimes@redhat.com> - 41.0.5-1
+- Update to 41.0.5, resolves RHBZ#2239707
+
+* Mon Aug 14 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-2
+- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042
+
+* Wed Aug 09 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-1
+- Update to 41.0.3, resolves rhbz#2211237
+- Use pyo3 0.19
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 40.0.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 10 2023 Python Maint <python-maint@redhat.com> - 40.0.2-4
+- Rebuilt for Python 3.12
+
+* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 40.0.2-3
+- Bootstrap for Python 3.12
+
+* Tue Jun 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 40.0.2-2
+- Use vendored rust-pem in RHEL builds
+
+* Tue Apr 18 2023 Christian Heimes <cheimes@redhat.com> - 40.0.2-1
+- Update to 40.0.2, resolves rhbz#2181430
+
+* Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
+- Don't run tests requiring pytz on RHEL
+- Don't try to run tests of vendored dependencies in %%check
+
+* Sat Mar 04 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-1
+- Update to 39.0.2, resolves rhbz#2124729
+
+* Tue Feb 28 2023 Fabio Valentini <decathorpe@gmail.com> - 37.0.2-9
+- Ensure correct compiler flags are used for Rust code.
+
+* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 37.0.2-8
+- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
+- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 09 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-6
+- Enable SHA1 signatures in test suite (ELN-only)
+
+* Wed Aug 17 2022 Miro Hrončok <mhroncok@redhat.com> - 37.0.2-5
+- Drop unused requirement of python3-six
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-3
+- Rebuilt for Python 3.11
+
+* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-2
+- Bootstrap for Python 3.11
+
+* Thu May 05 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-1
+- Update to 37.0.2, resolves rhbz#2078968
+
+* Thu Jan 27 2022 Christian Heimes <cheimes@redhat.com> - 36.0.0-3
+- Skip unstable memleak tests, resolves: RHBZ#2042413
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 36.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Nov 22 2021 Christian Heimes <cheimes@redhat.com> - 36.0.0-1
+- Update to 36.0.0, fixes RHBZ#2025347
+
+* Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0.0-2
+- Require rust-asn1 >= 0.6.4
+
+* Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0-1
+- Update to 35.0.0 (#2009117)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.4.7-6
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jun 10 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.4.7-4
+- Don't conditionalize Source: directives
+
+* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 3.4.7-3
+- Rebuilt for Python 3.10
+
+* Tue May 11 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
+- Fix compatibility issue with Python 3.10. Enums now use same
+  representation as on Python 3.9. (#1952522)
+- Backport OpenSSL 3.0.0 compatibility patches.
+
+* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
+- Update to 3.4.7
+- Remove dependency on python-cryptography-vectors package and use vectors
+  directly from Github source tar ball. (#1952024)
+
+* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
+- Update to 3.4.6 (#1927044)
+
+* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
+- Update to 3.4.5 (#1927044)
+
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
+- Skip iso8601 and pretend tests on RHEL
+
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
+- Provide RHEL build infrastructure
+
+* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
+- Update to 3.4.4 (#1927044)
+
+* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
+- Update to 3.4.2 (#1926339)
+- Package no longer depends on Rust (#1926181)
+
+* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
+- Use dynamically generated BuildRequires for PyO3 Rust module.
+- Drop unnecessary CARGO_NET_OFFLINE environment variable.
+
+* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
+- Update to 3.4.1 (#1925953)
+
+* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
+- Add missing abi3 and pytest dependencies
+
+* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
+- Update to 3.4 (#1925953)
+- Remove Python 2 support
+- Remove unused python-idna dependency
+- Add Rust support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
+- Update to 3.3.1 (#1905756)
+
+* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
+- Update to 3.2.1 (#1892153)
+
+* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
+- Update to 3.2 (#1891378)
+
+* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
+- Update to 3.1 (#1872978)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
+- Update to 3.0 (#185897)
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
+- Rebuilt for Python 3.9
+
+* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
+- add source file verification
+
+* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
+- Update to 2.9 (#1820348)
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
+- cryptography 2.8+ no longer depends on python-asn1crypto
+
+* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
+- Update to 2.8
+- Resolves: rhbz#1762779
+
+* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
+- Skip unit tests that fail with OpenSSL 1.1.1.d
+- Resolves: rhbz#1761194
+- Fix and simplify Python 3 packaging
+
+* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
+- Drop Python 2 package
+- Resolves: rhbz#1761081
+
+* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
+- Update to 2.7 (#1715680).
+
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
+- Rebuilt for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
+- New upstream release 2.6.1, resolves RHBZ#1683691
+
+* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
+- Updated to 2.5.
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
+- Use TLSv1.2 in test as workaround for RHBZ#1615143
+
+* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
+- New upstream release 2.3
+- Fix AEAD tag truncation bug, RHBZ#1602752
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
+- Rebuilt for Python 3.7
+
+* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
+- New upstream release 2.2.1
+
+* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
+- New upstream release 2.1.4
+
+* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
+- Build requires gcc
+
+* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

conftest-skipper.py

@@ -0,0 +1,22 @@
+
+class Skipper:
+    """Skip iso8601 and pretend tests
+
+    RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
+    all tests that use the excluded modules.
+    """
+
+    def parse_date(self, datestring):
+        pytest.skip(f"iso8601 module is not available.")
+
+    def stub(self, **kwargs):
+        pytest.skip(f"pretend module is not available.")
+
+    def raiser(self, exc):
+        pytest.skip(f"pretend module is not available.")
+
+
+import sys
+
+sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
+

python-cryptography.spec

@@ -1,17 +1,3 @@
-%if 0%{?fedora} || 0%{?rhel} > 7
-# Enable python3 build by default
-%bcond_without python3
-%else
-%bcond_with python3
-%endif
-
-%if 0%{?fedora} > 31 || 0%{?rhel} > 7
-# Disable python2 build by default
-%bcond_with python2
-%else
-%bcond_without python2
-%endif
-
 %bcond_without tests
 
 %{!?python3_pkgversion:%global python3_pkgversion 3}
@@ -19,234 +5,150 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        3.0
+Version:        45.0.4
-Release:        2%{?dist}
+Release:        %autorelease
 Summary:        PyCA's cryptography library
 
-License:        ASL 2.0 or BSD
+# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
+# as well as the Python Software Foundation license for the OS random
+# engine derived by CPython.
+# Rust crate dependency licenses:
+# Apache-2.0
+# Apache-2.0 OR MIT
+# BSD-3-Clause
+# MIT
+# MIT OR Apache-2.0
+License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0)
 URL:            https://cryptography.io/en/latest/
-Source0:        %{pypi_source}
+Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
-Source1:        %{pypi_source}.asc
+                # created by ./vendor_rust.py helper script
-# key ids of upstream authors are published in the AUTHORS file:
+Source1:        cryptography-%{version}-vendor.tar.bz2
-#    https://github.com/pyca/cryptography/blob/master/AUTHORS.rst
+Source2:        conftest-skipper.py
-# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98"
+
-# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
+ExclusiveArch:  %{rust_arches}
-Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
-
+%if 0%{?fedora}
-%if 0%{?with_python2}
+BuildRequires:  rust-packaging
-BuildRequires:  python2-cffi >= 1.7
+%else
-BuildRequires:  python2-cryptography-vectors = %{version}
+BuildRequires:  rust-toolset
-BuildRequires:  python2-devel
-BuildRequires:  python2-enum34
-BuildRequires:  python2-idna >= 2.1
-BuildRequires:  python2-ipaddress
-BuildRequires:  python2-setuptools
-BuildRequires:  python2-six >= 1.4.1
-
-%if %{with tests}
-BuildRequires:  python2-hypothesis >= 1.11.4
-BuildRequires:  python2-iso8601
-BuildRequires:  python2-pretend
-BuildRequires:  python2-pytest >= 3.2.1
-BuildRequires:  python2-pytz
-%endif
 %endif
 
-%if 0%{?with_python3}
+BuildRequires:  python%{python3_pkgversion}-cffi >= 1.12
-BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
 BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-idna >= 2.1
 BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
+BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.4
 
 %if %{with tests}
-BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
+%if 0%{?fedora}
+BuildRequires:  python%{python3_pkgversion}-certifi
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
-BuildRequires:  python%{python3_pkgversion}-pytest >= 3.2.1
+BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
-BuildRequires:  python%{python3_pkgversion}-pytz
+BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 %endif
+BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 %endif
 
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 
-%if 0%{?with_python2}
-%package -n  python2-%{srcname}
-Summary:        PyCA's cryptography library
-
-%if 0%{?with_python3}
-%{?python_provide:%python_provide python2-%{srcname}}
-%else
-Provides:       python-%{srcname}
-%endif
-
-Requires:       openssl-libs
-Requires:       python2-idna >= 2.1
-Requires:       python2-six >= 1.4.1
-Requires:       python2-cffi >= 1.7
-Requires:       python2-enum34
-Requires:       python2-ipaddress
-
-%description -n python2-%{srcname}
-cryptography is a package designed to expose cryptographic primitives and
-recipes to Python developers.
-%endif
-
-%if 0%{?with_python3}
 %package -n  python%{python3_pkgversion}-%{srcname}
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 
 Requires:       openssl-libs
-Requires:       python%{python3_pkgversion}-idna >= 2.1
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
-Requires:       python%{python3_pkgversion}-six >= 1.4.1
+# Can be safely removed in Fedora 37
-Requires:       python%{python3_pkgversion}-cffi >= 1.7
+Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
+%endif
 
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
-%endif
 
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version}
-%autosetup -p1 -n %{srcname}-%{version}
+%if 0%{?fedora}
+%cargo_prep
+sed -i 's/locked = true//g' pyproject.toml
+%else
+# RHEL: use vendored Rust crates
+%cargo_prep -v vendor
+%endif
+
+%if ! 0%{?fedora}
+sed -i 's,--benchmark-disable,,' pyproject.toml
+%endif
+
+
+%generate_buildrequires
+%pyproject_buildrequires
+%if 0%{?fedora}
+# Fedora: use RPMified crates
+%cargo_generate_buildrequires
+%endif
+
 
 %build
-%if 0%{?with_python2}
+export RUSTFLAGS="%build_rustflags"
-%py2_build
+export OPENSSL_NO_VENDOR=1
-%endif
+export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
-%if 0%{?with_python3}
+%pyproject_wheel
-%py3_build
+
+%cargo_license_summary
+%{cargo_license} > LICENSE.dependencies
+%if ! 0%{?fedora}
+%cargo_vendor_manifest
 %endif
 
+
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
+find . -name Cargo.toml -print -delete
+%pyproject_install
+%pyproject_save_files %{srcname}
 
-%if 0%{?with_python2}
-%py2_install
-%endif
-%if 0%{?with_python3}
-%py3_install
-%endif
 
 %check
 %if %{with tests}
-%if 0%{?with_python2}
+%if 0%{?rhel}
+# skip benchmark and hypothesis tests on RHEL
+rm -rf tests/bench tests/hypothesis
+# append skipper to skip iso8601 and pretend tests
+cat < %{SOURCE2} >> tests/conftest.py
+%endif
+
+# enable SHA-1 signatures for RSA tests
+# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
+export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
+
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
-PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
+# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
-%endif
+# not much sense for downstream testing.
-
+# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
-%if 0%{?with_python3}
+PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
-PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
+    %{__python3} -m pytest \
-%endif
+    --ignore vendor \
+    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
 %endif
 
 
-%if 0%{?with_python2}
+%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
-%files -n python2-%{srcname}
-%doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs
-%{python2_sitearch}/%{srcname}
-%{python2_sitearch}/%{srcname}-%{version}-py*.egg-info
-%endif
-
-
-%if 0%{?with_python3}
-%files -n python%{python3_pkgversion}-%{srcname}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
-%{python3_sitearch}/%{srcname}
+%license LICENSE.dependencies
-%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
+%if ! 0%{?fedora}
+%license cargo-vendor.txt
 %endif
 
 
 %changelog
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
+%autochangelog
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
-- Update to 3.0 (#185897)
-
-* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
-- Rebuilt for Python 3.9
-
-* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
-- add source file verification
-
-* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
-- Update to 2.9 (#1820348)
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
-- cryptography 2.8+ no longer depends on python-asn1crypto
-
-* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
-- Update to 2.8
-- Resolves: rhbz#1762779
-
-* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
-- Skip unit tests that fail with OpenSSL 1.1.1.d
-- Resolves: rhbz#1761194
-- Fix and simplify Python 3 packaging
-
-* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
-- Drop Python 2 package
-- Resolves: rhbz#1761081
-
-* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
-- Update to 2.7 (#1715680).
-
-* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
-- Rebuilt for Python 3.8
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
-- New upstream release 2.6.1, resolves RHBZ#1683691
-
-* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
-- Updated to 2.5.
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
-- Use TLSv1.2 in test as workaround for RHBZ#1615143
-
-* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
-- New upstream release 2.3
-- Fix AEAD tag truncation bug, RHBZ#1602752
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
-- Rebuilt for Python 3.7
-
-* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
-- New upstream release 2.2.1
-
-* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
-- New upstream release 2.1.4
-
-* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
-- Build requires gcc
-
-* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
-- Update Python 2 dependency declarations to new packaging standards
-  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

sources

@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15
+SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df
-SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8
+SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06

vendor_rust.py

@@ -0,0 +1,112 @@
+#!/usr/bin/python3
+"""Vendor PyCA cryptography's Rust crates
+"""
+import argparse
+import os
+import re
+import tarfile
+import tempfile
+import shutil
+import subprocess
+import sys
+
+VENDOR_DIR = "vendor"
+CARGO_TOML = "src/rust/Cargo.toml"
+RE_VERSION = re.compile(r"Version:\s*(.*)")
+
+parser = argparse.ArgumentParser(description="Vendor Rust packages")
+parser.add_argument(
+    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
+)
+
+
+def cargo(cmd, manifest):
+    args = ["cargo", cmd, f"--manifest-path={manifest}"]
+    return subprocess.check_call(
+        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
+    )
+
+
+def tar_reset(tarinfo):
+    """Reset user, group, mtime, and mode to create reproducible tar"""
+    tarinfo.uid = 0
+    tarinfo.gid = 0
+    tarinfo.uname = "root"
+    tarinfo.gname = "root"
+    tarinfo.mtime = 0
+    if tarinfo.type == tarfile.DIRTYPE:
+        tarinfo.mode = 0o755
+    else:
+        tarinfo.mode = 0o644
+    if tarinfo.pax_headers:
+        raise ValueError(tarinfo.name, tarinfo.pax_headers)
+    return tarinfo
+
+
+def tar_reproducible(tar, basedir):
+    """Create reproducible tar file"""
+
+    content = [basedir]
+    for root, dirs, files in os.walk(basedir):
+        for directory in dirs:
+            content.append(os.path.join(root, directory))
+        for filename in files:
+            content.append(os.path.join(root, filename))
+    content.sort()
+
+    for fn in content:
+        tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
+
+
+def main():
+    args = parser.parse_args()
+    spec = args.spec
+
+    # change cwd to work in bundle directory
+    here = os.path.dirname(os.path.abspath(spec))
+    os.chdir(here)
+
+    # extract version number from bundle name
+    with open(spec) as f:
+        for line in f:
+            mo = RE_VERSION.search(line)
+            if mo is not None:
+                version = mo.group(1)
+                break
+        else:
+            raise ValueError(f"Cannot find version in {spec}")
+
+    bundle_file = f"cryptography-{version}.tar.gz"
+    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
+
+    # remove existing vendor directory and file
+    if os.path.isdir(VENDOR_DIR):
+        shutil.rmtree(VENDOR_DIR)
+    try:
+        os.unlink(vendor_file)
+    except FileNotFoundError:
+        pass
+
+    print(f"Getting crates for {bundle_file}", file=sys.stderr)
+
+    # extract tar file in tempdir
+    # fetch and vendor Rust crates
+    with tempfile.TemporaryDirectory(dir=here) as tmp:
+        with tarfile.open(bundle_file) as tar:
+            tar.extractall(path=tmp)
+        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
+        cargo("fetch", manifest)
+        cargo("vendor", manifest)
+
+    print("\nCreating tar ball...", file=sys.stderr)
+    with tarfile.open(vendor_file, "x:bz2") as tar:
+        tar_reproducible(tar, VENDOR_DIR)
+
+    # remove vendor dir
+    shutil.rmtree(VENDOR_DIR)
+
+    parser.exit(0, f"Created {vendor_file}\n")
+
+
+if __name__ == "__main__":
+    main()