Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-securesystemslib for
openSUSE:Factory checked in at 2025-11-10 19:19:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-securesystemslib (Old)
and /work/SRC/openSUSE:Factory/.python-securesystemslib.new.1980 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-securesystemslib"
Mon Nov 10 19:19:39 2025 rev:7 rq:1316823 version:1.3.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-securesystemslib/python-securesystemslib.changes
2025-09-26 22:27:08.160622570 +0200
+++
/work/SRC/openSUSE:Factory/.python-securesystemslib.new.1980/python-securesystemslib.changes
2025-11-10 19:19:46.330460764 +0100
@@ -1,0 +2,10 @@
+Mon Nov 10 08:27:15 UTC 2025 - Dirk Müller <[email protected]>
+
+- update to 1.3.1:
+ * AWSSigner: Don't send payload to AWS for signing, send hash
+ only
+ * Set Development status classifier to "production/stable" in
+ Python packaging
+ * Minor infrastructure changes
+
+-------------------------------------------------------------------
Old:
----
securesystemslib-1.3.0.tar.gz
New:
----
securesystemslib-1.3.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-securesystemslib.spec ++++++
--- /var/tmp/diff_new_pack.1nF8id/_old 2025-11-10 19:19:47.146495024 +0100
+++ /var/tmp/diff_new_pack.1nF8id/_new 2025-11-10 19:19:47.150495192 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-securesystemslib
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -15,9 +15,10 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
+
%{?sle15_python_module_pythons}
Name: python-securesystemslib
-Version: 1.3.0
+Version: 1.3.1
Release: 0
Summary: Cryptographic and general routines for Secure Systems Lab
License: MIT
++++++ securesystemslib-1.3.0.tar.gz -> securesystemslib-1.3.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/.gitignore
new/securesystemslib-1.3.1/.gitignore
--- old/securesystemslib-1.3.0/.gitignore 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.3.1/.gitignore 2020-02-02 01:00:00.000000000
+0100
@@ -16,5 +16,8 @@
.DS_Store
.python-version
+# PyCharm IDE
+.idea/
+
# Sphinx documentation
docs/_build/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/CHANGELOG.md
new/securesystemslib-1.3.1/CHANGELOG.md
--- old/securesystemslib-1.3.0/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.3.1/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
@@ -1,5 +1,15 @@
# Changelog
+## securesystemslib v1.3.1
+
+### Fixed
+* AWSSigner: Don't send payload to AWS for signing, send hash only (#1026)
+* Set Development status classifier to "production/stable" in Python
+ packaging (#1030)
+
+### Internals
+* Minor infrastructure changes (#1005, #1013)
+
## securesystemslib v1.3.0
The `hash` module will be removed in the next major version. Consider using
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/PKG-INFO
new/securesystemslib-1.3.1/PKG-INFO
--- old/securesystemslib-1.3.0/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: securesystemslib
-Version: 1.3.0
+Version: 1.3.1
Summary: A library that provides cryptographic and general-purpose routines
for Secure Systems Lab projects at NYU
Project-URL: Homepage, https://github.com/secure-systems-lab/securesystemslib
Project-URL: Source, https://github.com/secure-systems-lab/securesystemslib
@@ -9,7 +9,7 @@
License-Expression: MIT
License-File: LICENSE
Keywords: cryptography,ecdsa,ed25519,keys,rsa,signatures
-Classifier: Development Status :: 4 - Beta
+Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
Classifier: Operating System :: MacOS :: MacOS X
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/pyproject.toml
new/securesystemslib-1.3.1/pyproject.toml
--- old/securesystemslib-1.3.0/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.3.1/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
@@ -18,7 +18,7 @@
"ecdsa",
]
classifiers = [
- "Development Status :: 4 - Beta",
+ "Development Status :: 5 - Production/Stable",
"Intended Audience :: Developers",
"Natural Language :: English",
"Operating System :: POSIX",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/requirements-aws.txt
new/securesystemslib-1.3.1/requirements-aws.txt
--- old/securesystemslib-1.3.0/requirements-aws.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/requirements-aws.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,2 @@
-boto3~=1.37.34
-botocore~=1.37.34
+boto3~=1.40.26
+botocore~=1.40.26
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/requirements-build.txt
new/securesystemslib-1.3.1/requirements-build.txt
--- old/securesystemslib-1.3.0/requirements-build.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/requirements-build.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1 +1 @@
-build==1.2.2.post1
+build==1.3.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/requirements-lint.txt
new/securesystemslib-1.3.1/requirements-lint.txt
--- old/securesystemslib-1.3.0/requirements-lint.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/requirements-lint.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,3 +1,3 @@
-mypy==1.15.0
-ruff==0.11.5
-zizmor==1.5.2
\ No newline at end of file
+mypy==1.18.2
+ruff==0.13.1
+zizmor==1.13.0
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/requirements-pinned.txt
new/securesystemslib-1.3.1/requirements-pinned.txt
--- old/securesystemslib-1.3.0/requirements-pinned.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/requirements-pinned.txt 2020-02-02
01:00:00.000000000 +0100
@@ -10,11 +10,11 @@
# via
# cryptography
# pyspx
-cryptography==43.0.3
+cryptography==45.0.7
# via -r requirements.txt
pycparser==2.22
# via cffi
-pykcs11==1.5.17
+pykcs11==1.5.18
# via -r requirements.txt
pyspx==0.5.0 ; platform_system != "Windows"
# via -r requirements.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/requirements-sigstore.txt
new/securesystemslib-1.3.1/requirements-sigstore.txt
--- old/securesystemslib-1.3.0/requirements-sigstore.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/requirements-sigstore.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1 +1 @@
-sigstore==3.6.2
+sigstore==3.6.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/requirements-test.txt
new/securesystemslib-1.3.1/requirements-test.txt
--- old/securesystemslib-1.3.0/requirements-test.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/requirements-test.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,2 @@
# additional test tools
-coverage==7.8.0
+coverage==7.10.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/securesystemslib/__init__.py
new/securesystemslib-1.3.1/securesystemslib/__init__.py
--- old/securesystemslib-1.3.0/securesystemslib/__init__.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/securesystemslib/__init__.py 2020-02-02
01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
import logging
-__version__ = "1.3.0"
+__version__ = "1.3.1"
# Configure a basic 'securesystemslib' top-level logger with a StreamHandler
# (print to console) and the WARNING log level (print messages of type
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/securesystemslib/dsse.py
new/securesystemslib-1.3.1/securesystemslib/dsse.py
--- old/securesystemslib-1.3.0/securesystemslib/dsse.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/securesystemslib/dsse.py 2020-02-02
01:00:00.000000000 +0100
@@ -42,6 +42,9 @@
and self.signatures == other.signatures
)
+ def __hash__(self) -> int:
+ return hash((self.payload, self.payload_type, self.signatures))
+
@classmethod
def from_dict(cls, data: dict) -> Envelope:
"""Creates a DSSE Envelope from its JSON/dict representation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.0/securesystemslib/signer/_aws_signer.py
new/securesystemslib-1.3.1/securesystemslib/signer/_aws_signer.py
--- old/securesystemslib-1.3.0/securesystemslib/signer/_aws_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/securesystemslib/signer/_aws_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -2,6 +2,7 @@
from __future__ import annotations
+import hashlib
import logging
from urllib import parse
@@ -32,6 +33,8 @@
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. These will
be recognized by the boto3 SDK, which underlies the aws_kms Python module.
+ The signer computes hash digests locally and sends only the digest to AWS
KMS.
+
For more details on AWS authentication, refer to the AWS Command Line
Interface User Guide:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
@@ -187,8 +190,8 @@
def sign(self, payload: bytes) -> Signature:
"""Sign the payload with the AWS KMS key
- This method sends the payload to AWS KMS, where it is signed using the
specified
- key and algorithm using the raw message type.
+ This method computes the hash of the payload locally and sends only the
+ digest to AWS KMS for signing.
Arguments:
payload (bytes): The payload to be signed.
@@ -200,10 +203,15 @@
Signature: A signature object containing the key ID and the
signature.
"""
try:
+ hash_algorithm = self.public_key.get_hash_algorithm_name()
+ hasher = hashlib.new(hash_algorithm)
+ hasher.update(payload)
+ digest = hasher.digest()
+
sign_request = self.client.sign(
KeyId=self.aws_key_id,
- Message=payload,
- MessageType="RAW",
+ Message=digest,
+ MessageType="DIGEST",
SigningAlgorithm=self.aws_algo,
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.0/securesystemslib/signer/_key.py
new/securesystemslib-1.3.1/securesystemslib/signer/_key.py
--- old/securesystemslib-1.3.0/securesystemslib/signer/_key.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/securesystemslib/signer/_key.py 2020-02-02
01:00:00.000000000 +0100
@@ -127,6 +127,17 @@
and self.unrecognized_fields == other.unrecognized_fields
)
+ def __hash__(self) -> int:
+ return hash(
+ (
+ self.keyid,
+ self.keytype,
+ self.scheme,
+ self.keyval,
+ self.unrecognized_fields,
+ )
+ )
+
@classmethod
@abstractmethod
def from_dict(cls, keyid: str, key_dict: dict[str, Any]) -> Key:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.0/securesystemslib/signer/_signature.py
new/securesystemslib-1.3.1/securesystemslib/signer/_signature.py
--- old/securesystemslib-1.3.0/securesystemslib/signer/_signature.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/securesystemslib/signer/_signature.py
2020-02-02 01:00:00.000000000 +0100
@@ -55,6 +55,9 @@
and self.unrecognized_fields == other.unrecognized_fields
)
+ def __hash__(self) -> int:
+ return hash((self.keyid, self.signature, self.unrecognized_fields))
+
@classmethod
def from_dict(cls, signature_dict: dict) -> Signature:
"""Creates a Signature object from its JSON/dict representation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.0/securesystemslib/signer/_sigstore_signer.py
new/securesystemslib-1.3.1/securesystemslib/signer/_sigstore_signer.py
--- old/securesystemslib-1.3.0/securesystemslib/signer/_sigstore_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/securesystemslib/signer/_sigstore_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -22,6 +22,8 @@
IMPORT_ERROR = "sigstore library required to use 'sigstore-oidc' keys"
+# ruff: noqa: PLC0415
+
logger = logging.getLogger(__name__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/tests/aggregate_tests.py
new/securesystemslib-1.3.1/tests/aggregate_tests.py
--- old/securesystemslib-1.3.0/tests/aggregate_tests.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/tests/aggregate_tests.py 2020-02-02
01:00:00.000000000 +0100
@@ -27,7 +27,7 @@
if __name__ == "__main__":
suite = unittest.TestLoader().discover("tests", top_level_dir=".")
all_tests_passed = (
- unittest.TextTestRunner(verbosity=1,
buffer=True).run(suite).wasSuccessful()
+ unittest.TextTestRunner(verbosity=2,
buffer=True).run(suite).wasSuccessful()
)
if not all_tests_passed:
sys.exit(1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.0/tox.ini
new/securesystemslib-1.3.1/tox.ini
--- old/securesystemslib-1.3.0/tox.ini 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.1/tox.ini 2020-02-02 01:00:00.000000000 +0100
@@ -70,7 +70,7 @@
ruff check {[testenv:lint]lint_dirs}
mypy securesystemslib
- zizmor --persona=pedantic -q .
+ zizmor --persona=regular -q .
[testenv:fix]
deps = {[testenv:lint]deps}
