From ed6d65f51610e2b85a297376b32a0c032b3ea98f Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Wed, 4 Sep 2024 11:41:44 +0200 Subject: [PATCH 01/16] allow sha1 in OAEP In FIPS mode, RSA OAEP padding is refused with an error message: "This combination of padding and hash algorithm is not supported by this backend." It picks up the patch in https://github.com/pyca/cryptography/pull/11536 to allow sha1 in OAEP. Fixes: https://github.com/pyca/cryptography/issues/11512 Related: https://issues.redhat.com/browse/RHEL-40210 Signed-off-by: Francisco Trivino --- 11536.patch | 26 ++++++++++++++++++++++++++ python-cryptography.spec | 1 + 2 files changed, 27 insertions(+) create mode 100644 11536.patch diff --git a/11536.patch b/11536.patch new file mode 100644 index 0000000..b18f149 --- /dev/null +++ b/11536.patch @@ -0,0 +1,26 @@ +From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 3 Sep 2024 20:19:02 -0400 +Subject: [PATCH] allow sha1 in OAEP (#11536) + +fixes #11512 +--- + src/rust/src/backend/rsa.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index 3c01e7421..066b1412a 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu + } + + fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { +- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) ++ md == &openssl::hash::MessageDigest::sha1() + || md == &openssl::hash::MessageDigest::sha224() + || md == &openssl::hash::MessageDigest::sha256() + || md == &openssl::hash::MessageDigest::sha384() +-- +2.46.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index d83d2b1..eff8c1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch: 11328.patch +Patch: 11536.patch ExclusiveArch: %{rust_arches} From bc4d913fc3b2fb5b81083731af0a64abdb72509e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 18 Jan 2025 13:19:11 +0000 Subject: [PATCH 02/16] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 83987f70ef712cc0b5935dc5e8f2354f74476c30 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 15:51:57 +0000 Subject: [PATCH 03/16] Update to v44.0.0 This release is largely adding new features. One behavioral which might cause issues is: - Enforce the RFC 5280 requirement that extended key usage extensions must not be empty. Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst --- .gitignore | 2 ++ python-cryptography.spec | 6 +----- sources | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index fca5c45..ea7f662 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,5 @@ /cryptography-42.0.8-vendor.tar.bz2 /cryptography-43.0.0.tar.gz /cryptography-43.0.0-vendor.tar.bz2 +/cryptography-44.0.0.tar.gz +/cryptography-44.0.0-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index eff8c1c..c4c0e69 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 43.0.0 +Version: 44.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch: 11328.patch -Patch: 11536.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -74,7 +71,6 @@ recipes to Python developers. %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml -rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 diff --git a/sources b/sources index fe39107..d10f2cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 -SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 +SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad +SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b From 78a177912460d18470df2783ed7ef86bdbf84ab5 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 18:39:23 +0000 Subject: [PATCH 04/16] Include fix to exclude Cargo.toml from wheels Merged upstream at https://github.com/pyca/cryptography/pull/12091 [skip changelog] --- 11328.patch | 36 ------------------------------------ 11536.patch | 26 -------------------------- 12091.patch | 34 ++++++++++++++++++++++++++++++++++ python-cryptography.spec | 5 +++++ 4 files changed, 39 insertions(+), 62 deletions(-) delete mode 100644 11328.patch delete mode 100644 11536.patch create mode 100644 12091.patch diff --git a/11328.patch b/11328.patch deleted file mode 100644 index 3dd1aee..0000000 --- a/11328.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 22 Jul 2024 09:09:05 +0200 -Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined - -Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE -support. Downstream has moved `openssl/engine.h` into a separate RPM -package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The -compiler flag disables PyCA cryptography's ENGINE support successfully. -We also like to build the downstream package without the `engine.h` -header file present. - -This commit makes the include conditional. The `ENGINE` type is -defined in `openssl/types.h`. - -See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide -See: https://issues.redhat.com/browse/RHEL-33747 -Signed-off-by: Christian Heimes ---- - src/_cffi_src/openssl/engine.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py -index 9629a2c8f929..f47e20327003 100644 ---- a/src/_cffi_src/openssl/engine.py -+++ b/src/_cffi_src/openssl/engine.py -@@ -5,7 +5,9 @@ - from __future__ import annotations - - INCLUDES = """ -+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL - #include -+#endif - """ - - TYPES = """ diff --git a/11536.patch b/11536.patch deleted file mode 100644 index b18f149..0000000 --- a/11536.patch +++ /dev/null @@ -1,26 +0,0 @@ -From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 3 Sep 2024 20:19:02 -0400 -Subject: [PATCH] allow sha1 in OAEP (#11536) - -fixes #11512 ---- - src/rust/src/backend/rsa.rs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs -index 3c01e7421..066b1412a 100644 ---- a/src/rust/src/backend/rsa.rs -+++ b/src/rust/src/backend/rsa.rs -@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu - } - - fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { -- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) -+ md == &openssl::hash::MessageDigest::sha1() - || md == &openssl::hash::MessageDigest::sha224() - || md == &openssl::hash::MessageDigest::sha256() - || md == &openssl::hash::MessageDigest::sha384() --- -2.46.0 - diff --git a/12091.patch b/12091.patch new file mode 100644 index 0000000..96ef95a --- /dev/null +++ b/12091.patch @@ -0,0 +1,34 @@ +From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 +From: Johan Andersson +Date: Tue, 3 Dec 2024 00:43:31 +0100 +Subject: [PATCH] build: remove cargo.toml files from wheels + +--- + pyproject.toml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/pyproject.toml b/pyproject.toml +index 4266e3bd5ba4..0378e78815e3 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -101,15 +101,17 @@ include = [ + "src/_cffi_src/**/*.c", + "src/_cffi_src/**/*.h", + +- "**/Cargo.toml", +- "**/Cargo.lock", ++ "Cargo.toml", ++ "Cargo.lock", ++ "src/rust/**/Cargo.toml", ++ "src/rust/**/Cargo.lock", + "src/rust/**/*.rs", + + "tests/**/*.py", + ] + exclude = [ + "vectors/**/*", +- "src/rust/target/**/*", ++ "target/**/*", + "docs/_build/**/*", + ".github/**/*", + ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index c4c0e69..110249d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,6 +19,10 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# Merged for 45.0.0+ +# https://github.com/pyca/cryptography/pull/12091 +Patch: 12091.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -102,6 +106,7 @@ export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete +find . -name Cargo.toml -print -delete %pyproject_install %pyproject_save_files %{srcname} From 606ff1ca7ed14791fb66c3029c65397436b2902f Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 6 Feb 2025 13:47:30 +0100 Subject: [PATCH 05/16] Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004) From 25b75b110cb4173e173476cd88ded741b37c3a98 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 3 Mar 2025 23:22:02 -0500 Subject: [PATCH 06/16] Do not delete tests/x509 on RHEL tests/x509 now provides imports used by tests in other directories, and no longer require pytz. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 110249d..e10429e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -115,7 +115,7 @@ find . -name Cargo.toml -print -delete %if %{with tests} %if 0%{?rhel} # skip benchmark, hypothesis, and pytz tests on RHEL -rm -rf tests/bench tests/hypothesis tests/x509 +rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From 683f73c2b86b3035a407c58d8da331232bc68cc1 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 6 Mar 2025 11:43:48 -0500 Subject: [PATCH 07/16] Modernize Rust macro usage This adds automatically generated licensing data, and bundled provides for vendored dependencies in the RHEL builds. --- python-cryptography.spec | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e10429e..91b85b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -12,7 +12,13 @@ Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, # as well as the Python Software Foundation license for the OS random # engine derived by CPython. -License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +# Rust crate dependency licenses: +# Apache-2.0 +# Apache-2.0 OR MIT +# BSD-3-Clause +# MIT +# MIT OR Apache-2.0 +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0) URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script @@ -71,13 +77,13 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +%cargo_prep -v vendor %endif %if ! 0%{?fedora} @@ -89,9 +95,7 @@ sed -i 's,--benchmark-disable,,' pyproject.toml %pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates -cd src/rust %cargo_generate_buildrequires -cd ../.. %endif @@ -101,6 +105,12 @@ export OPENSSL_NO_VENDOR=1 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if ! 0%{?fedora} +%cargo_vendor_manifest +%endif + %install # Actually other *.c and *.h are appropriate @@ -139,6 +149,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD +%license LICENSE.dependencies +%if ! 0%{?fedora} +%license cargo-vendor.txt +%endif %changelog From f06f4c280408a86ae39f4a942bc6b2d46038b84f Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 19 May 2025 10:49:48 -0400 Subject: [PATCH 08/16] Update to v45.0.2 This update includes two backwards-incompatible changes with v44: - Made SSH private key loading more consistent with other private key loading: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised). - The :meth:`VerifiedClient.subject ` property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension. Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst --- .gitignore | 2 ++ 12091.patch | 34 ---------------------------------- python-cryptography.spec | 6 +----- sources | 4 ++-- 4 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 12091.patch diff --git a/.gitignore b/.gitignore index ea7f662..6778d54 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ /cryptography-43.0.0-vendor.tar.bz2 /cryptography-44.0.0.tar.gz /cryptography-44.0.0-vendor.tar.bz2 +/cryptography-45.0.2.tar.gz +/cryptography-45.0.2-vendor.tar.bz2 diff --git a/12091.patch b/12091.patch deleted file mode 100644 index 96ef95a..0000000 --- a/12091.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 -From: Johan Andersson -Date: Tue, 3 Dec 2024 00:43:31 +0100 -Subject: [PATCH] build: remove cargo.toml files from wheels - ---- - pyproject.toml | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/pyproject.toml b/pyproject.toml -index 4266e3bd5ba4..0378e78815e3 100644 ---- a/pyproject.toml -+++ b/pyproject.toml -@@ -101,15 +101,17 @@ include = [ - "src/_cffi_src/**/*.c", - "src/_cffi_src/**/*.h", - -- "**/Cargo.toml", -- "**/Cargo.lock", -+ "Cargo.toml", -+ "Cargo.lock", -+ "src/rust/**/Cargo.toml", -+ "src/rust/**/Cargo.lock", - "src/rust/**/*.rs", - - "tests/**/*.py", - ] - exclude = [ - "vectors/**/*", -- "src/rust/target/**/*", -+ "target/**/*", - "docs/_build/**/*", - ".github/**/*", - ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index 91b85b9..3907b6b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 44.0.0 +Version: 45.0.2 Release: %autorelease Summary: PyCA's cryptography library @@ -25,10 +25,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# Merged for 45.0.0+ -# https://github.com/pyca/cryptography/pull/12091 -Patch: 12091.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel diff --git a/sources b/sources index d10f2cb..c6a4acc 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad -SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b +SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 +SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From adc63ac786ecfec84079d5ecb2ee7d8f6a41b5bd Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Sun, 25 May 2025 12:49:30 -0400 Subject: [PATCH 09/16] Update to v45.0.3 This fixes two issues from v45: - Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). - Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6778d54..4a18b60 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ /cryptography-44.0.0-vendor.tar.bz2 /cryptography-45.0.2.tar.gz /cryptography-45.0.2-vendor.tar.bz2 +/cryptography-45.0.3.tar.gz +/cryptography-45.0.3-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 3907b6b..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.2 +Version: 45.0.3 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index c6a4acc..9fb264e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 -SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 +SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 2fadd7bb9ab0a159e6d5f845cd1d6b922c6d6dab Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 13:37:55 +0200 Subject: [PATCH 10/16] Bootstrap for Python 3.14 --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..27fad32 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 65da927d85a980fe32d693d7f3ae2a5c1703740c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 4 Jun 2025 18:30:16 +0200 Subject: [PATCH 11/16] Rebuilt for Python 3.14 --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 27fad32..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 8034f94f7793712d41c2a2b2b3c55ea6a1c85da1 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 11 Jun 2025 09:31:07 -0400 Subject: [PATCH 12/16] Update to v45.0.4 The upstream release fixes a single issue: - Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) Fixes rhbz #2371350 --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4a18b60..4ad8197 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ /cryptography-45.0.2-vendor.tar.bz2 /cryptography-45.0.3.tar.gz /cryptography-45.0.3-vendor.tar.bz2 +/cryptography-45.0.4.tar.gz +/cryptography-45.0.4-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..ae9b0b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.3 +Version: 45.0.4 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index 9fb264e..e79ea50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 -SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df +SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 22e34bf15083c5690415b1cf16fbbafae1ac0c1e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 07:25:06 +0000 Subject: [PATCH 13/16] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 5e511855936600aa1b4f9108e740cf9ec0265588 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 13:32:38 +0200 Subject: [PATCH 14/16] Rebuilt for Python 3.14.0rc2 bytecode From 5e1fd8e20da2a7587e12bd6ef621c6ac6a6af07b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 13:05:04 +0200 Subject: [PATCH 15/16] Rebuilt for Python 3.14.0rc3 bytecode From 1a3a50b8d38e467b5a9b4422d073bf0b915ba94b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 22 Oct 2025 13:03:41 +0100 Subject: [PATCH 16/16] Drop pytz test req, only needed for py < 3.9 The pytz requirement now is only used for CI for py < 3.9: pytz==2025.2 ; python_full_version < '3.9' Also drop no longer valid comment snippet --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ae9b0b1..16b4d7e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist -BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 %endif @@ -120,7 +119,7 @@ find . -name Cargo.toml -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip benchmark, hypothesis, and pytz tests on RHEL +# skip benchmark and hypothesis tests on RHEL rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py