Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-securesystemslib for
openSUSE:Factory checked in at 2026-06-15 19:44:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-securesystemslib (Old)
and /work/SRC/openSUSE:Factory/.python-securesystemslib.new.1981 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-securesystemslib"
Mon Jun 15 19:44:01 2026 rev:8 rq:1359298 version:1.4.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-securesystemslib/python-securesystemslib.changes
2025-11-10 19:19:46.330460764 +0100
+++
/work/SRC/openSUSE:Factory/.python-securesystemslib.new.1981/python-securesystemslib.changes
2026-06-15 19:47:15.352999027 +0200
@@ -1,0 +2,10 @@
+Sun Jun 14 19:18:58 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 1.4.0:
+ * HSMSigner: Fix usage with multi-byte keyids
+ * SigstoreSigner: Update to current sigstore-python API
+ * Deprecate Python 3.9 support
+ * Various testing changes -- note that AWS is currently not
+ tested in CI (see #1104)
+
+-------------------------------------------------------------------
Old:
----
securesystemslib-1.3.1.tar.gz
New:
----
securesystemslib-1.4.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-securesystemslib.spec ++++++
--- /var/tmp/diff_new_pack.T5DLxA/_old 2026-06-15 19:47:16.249036578 +0200
+++ /var/tmp/diff_new_pack.T5DLxA/_new 2026-06-15 19:47:16.249036578 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python-securesystemslib
#
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%{?sle15_python_module_pythons}
Name: python-securesystemslib
-Version: 1.3.1
+Version: 1.4.0
Release: 0
Summary: Cryptographic and general routines for Secure Systems Lab
License: MIT
@@ -26,15 +26,15 @@
Source:
https://files.pythonhosted.org/packages/source/s/securesystemslib/securesystemslib-%{version}.tar.gz
BuildRequires: %{python_module PyKCS11}
BuildRequires: %{python_module asn1crypto}
-BuildRequires: %{python_module cryptography >= 3.3.2}
-BuildRequires: %{python_module hatchling}
+BuildRequires: %{python_module cryptography >= 40.0.0}
+BuildRequires: %{python_module hatchling >= 1.29.0}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module pytest}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires: python-PyKCS11
Requires: python-asn1crypto
-Requires: python-cryptography
+Requires: python-cryptography >= 40.0.0
BuildArch: noarch
%python_subpackages
++++++ securesystemslib-1.3.1.tar.gz -> securesystemslib-1.4.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/CHANGELOG.md
new/securesystemslib-1.4.0/CHANGELOG.md
--- old/securesystemslib-1.3.1/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.4.0/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
@@ -1,5 +1,18 @@
# Changelog
+## securesystemslib v1.4.0
+
+### Fixed
+
+* HSMSigner: Fix usage with multi-byte keyids (#1107)
+
+### Changed
+
+* SigstoreSigner: Update to current sigstore-python API (#1035)
+* Deprecate Python 3.9 support (#1069)
+* Various testing changes -- note that AWS is currently not tested
+ in CI (see #1104)
+
## securesystemslib v1.3.1
### Fixed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/PKG-INFO
new/securesystemslib-1.4.0/PKG-INFO
--- old/securesystemslib-1.3.1/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: securesystemslib
-Version: 1.3.1
+Version: 1.4.0
Summary: A library that provides cryptographic and general-purpose routines
for Secure Systems Lab projects at NYU
Project-URL: Homepage, https://github.com/secure-systems-lab/securesystemslib
Project-URL: Source, https://github.com/secure-systems-lab/securesystemslib
@@ -17,15 +17,15 @@
Classifier: Operating System :: POSIX
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Topic :: Security
Classifier: Topic :: Software Development
-Requires-Python: ~=3.8
+Requires-Python: ~=3.10
Provides-Extra: awskms
Requires-Dist: boto3; extra == 'awskms'
Requires-Dist: botocore; extra == 'awskms'
@@ -46,7 +46,7 @@
Provides-Extra: pyspx
Requires-Dist: pyspx>=0.5.0; extra == 'pyspx'
Provides-Extra: sigstore
-Requires-Dist: sigstore~=3.0; extra == 'sigstore'
+Requires-Dist: sigstore<5,>=4; extra == 'sigstore'
Provides-Extra: vault
Requires-Dist: cryptography>=40.0.0; extra == 'vault'
Requires-Dist: hvac; extra == 'vault'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/pyproject.toml
new/securesystemslib-1.4.0/pyproject.toml
--- old/securesystemslib-1.3.1/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.4.0/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
@@ -1,5 +1,5 @@
[build-system]
-requires = ["hatchling==1.27.0"]
+requires = ["hatchling==1.29.0"]
build-backend = "hatchling.build"
[project]
@@ -26,16 +26,16 @@
"Operating System :: MacOS :: MacOS X",
"Operating System :: Microsoft :: Windows",
"Programming Language :: Python :: 3",
- "Programming Language :: Python :: 3.9",
"Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: 3.12",
"Programming Language :: Python :: 3.13",
+ "Programming Language :: Python :: 3.14",
"Programming Language :: Python :: Implementation :: CPython",
"Topic :: Security",
"Topic :: Software Development",
]
-requires-python = "~=3.8"
+requires-python = "~=3.10"
dynamic = ["version"]
[project.urls]
@@ -50,7 +50,7 @@
awskms = ["boto3", "botocore", "cryptography>=40.0.0"]
hsm = ["asn1crypto", "cryptography>=40.0.0", "PyKCS11"]
PySPX = ["PySPX>=0.5.0"]
-sigstore = ["sigstore~=3.0"]
+sigstore = ["sigstore>=4,<5"]
vault = ["hvac", "cryptography>=40.0.0"]
[tool.hatch.version]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-aws.txt
new/securesystemslib-1.4.0/requirements-aws.txt
--- old/securesystemslib-1.3.1/requirements-aws.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-aws.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,2 @@
-boto3~=1.40.26
-botocore~=1.40.26
+boto3~=1.42.64
+botocore~=1.42.64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-build.txt
new/securesystemslib-1.4.0/requirements-build.txt
--- old/securesystemslib-1.3.1/requirements-build.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-build.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1 +1 @@
-build==1.3.0
+build==1.5.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-lint.txt
new/securesystemslib-1.4.0/requirements-lint.txt
--- old/securesystemslib-1.3.1/requirements-lint.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-lint.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,3 +1,3 @@
-mypy==1.18.2
-ruff==0.13.1
-zizmor==1.13.0
\ No newline at end of file
+mypy==1.20.2
+ruff==0.15.13
+zizmor==1.25.2
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-pinned.txt
new/securesystemslib-1.4.0/requirements-pinned.txt
--- old/securesystemslib-1.3.1/requirements-pinned.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-pinned.txt 2020-02-02
01:00:00.000000000 +0100
@@ -6,13 +6,13 @@
#
asn1crypto==1.5.1
# via -r requirements.txt
-cffi==1.17.1
+cffi==2.0.0
# via
# cryptography
# pyspx
-cryptography==45.0.7
+cryptography==46.0.7
# via -r requirements.txt
-pycparser==2.22
+pycparser==3.0
# via cffi
pykcs11==1.5.18
# via -r requirements.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-sigstore.txt
new/securesystemslib-1.4.0/requirements-sigstore.txt
--- old/securesystemslib-1.3.1/requirements-sigstore.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-sigstore.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1 +1 @@
-sigstore==3.6.5
+sigstore==4.2.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-test.txt
new/securesystemslib-1.4.0/requirements-test.txt
--- old/securesystemslib-1.3.1/requirements-test.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-test.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,2 @@
# additional test tools
-coverage==7.10.7
+coverage==7.13.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/requirements-vault.txt
new/securesystemslib-1.4.0/requirements-vault.txt
--- old/securesystemslib-1.3.1/requirements-vault.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/requirements-vault.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1 +1 @@
-hvac==2.3.0
+hvac==2.4.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/securesystemslib/__init__.py
new/securesystemslib-1.4.0/securesystemslib/__init__.py
--- old/securesystemslib-1.3.1/securesystemslib/__init__.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/securesystemslib/__init__.py 2020-02-02
01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
import logging
-__version__ = "1.3.1"
+__version__ = "1.4.0"
# Configure a basic 'securesystemslib' top-level logger with a StreamHandler
# (print to console) and the WARNING log level (print messages of type
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.1/securesystemslib/_vendor/test-ed25519-upstream.sh
new/securesystemslib-1.4.0/securesystemslib/_vendor/test-ed25519-upstream.sh
---
old/securesystemslib-1.3.1/securesystemslib/_vendor/test-ed25519-upstream.sh
2020-02-02 01:00:00.000000000 +0100
+++
new/securesystemslib-1.4.0/securesystemslib/_vendor/test-ed25519-upstream.sh
2020-02-02 01:00:00.000000000 +0100
@@ -12,7 +12,7 @@
# This commit matches our securesystemslib/_vendor/ed25519/ content.
# If upstream changes, we should review the changes, vendor them,
# and update the hash here
-pyca_ed25519_expected="08a7962a8059e4546a21b97f4a847f75cd1a1bbb"
+pyca_ed25519_expected="aab70bc53cae6a9f67dd1aab8552810d7a4ae382"
pyca_ed25519_git_url="https://github.com/pyca/ed25519.git";
pyca_ed25519_main_head=$(git ls-remote "$pyca_ed25519_git_url" main | cut -f1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/securesystemslib/formats.py
new/securesystemslib-1.4.0/securesystemslib/formats.py
--- old/securesystemslib-1.3.1/securesystemslib/formats.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/securesystemslib/formats.py 2020-02-02
01:00:00.000000000 +0100
@@ -20,7 +20,7 @@
"""
-from typing import Callable, Optional, Union
+from collections.abc import Callable
from securesystemslib import exceptions
@@ -52,7 +52,7 @@
def _encode_canonical(
- object: Union[bool, None, str, int, tuple, list, dict], output_function:
Callable
+ object: bool | None | str | int | tuple | list | dict, output_function:
Callable
) -> None:
# Helper for encode_canonical. Older versions of json.encoder don't
# even let us replace the separators.
@@ -94,9 +94,9 @@
def encode_canonical(
- object: Union[bool, None, str, int, tuple, list, dict],
- output_function: Optional[Callable] = None,
-) -> Union[str, None]:
+ object: bool | None | str | int | tuple | list | dict,
+ output_function: Callable | None = None,
+) -> str | None:
"""
<Purpose>
Encoding an object so that it is always has the same string format
@@ -150,7 +150,7 @@
A string representing the 'object' encoded in canonical JSON form.
"""
- result: Union[None, list] = None
+ result: None | list = None
# If 'output_function' is unset, treat it as
# appending to a list.
if output_function is None:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.1/securesystemslib/signer/_crypto_signer.py
new/securesystemslib-1.4.0/securesystemslib/signer/_crypto_signer.py
--- old/securesystemslib-1.3.1/securesystemslib/signer/_crypto_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/securesystemslib/signer/_crypto_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -3,7 +3,6 @@
import logging
import os
from dataclasses import astuple, dataclass
-from typing import Optional, Union
from urllib import parse
from securesystemslib.exceptions import UnsupportedLibraryError
@@ -116,7 +115,7 @@
def __init__(
self,
private_key: "PrivateKeyTypes",
- public_key: Optional[SSlibKey] = None,
+ public_key: SSlibKey | None = None,
):
if CRYPTO_IMPORT_ERROR:
raise UnsupportedLibraryError(CRYPTO_IMPORT_ERROR)
@@ -125,7 +124,7 @@
public_key = SSlibKey.from_crypto(private_key.public_key())
self._private_key: PrivateKeyTypes
- self._sign_args: Union[_RSASignArgs, _ECDSASignArgs, _NoSignArgs]
+ self._sign_args: _RSASignArgs | _ECDSASignArgs | _NoSignArgs
if public_key.keytype == "rsa" and public_key.scheme in [
"rsassa-pss-sha224",
@@ -195,7 +194,7 @@
cls,
priv_key_uri: str,
public_key: Key,
- secrets_handler: Optional[SecretsHandler] = None,
+ secrets_handler: SecretsHandler | None = None,
) -> "CryptoSigner":
"""Constructor for Signer to call
@@ -248,7 +247,7 @@
@staticmethod
def generate_ed25519(
- keyid: Optional[str] = None,
+ keyid: str | None = None,
) -> "CryptoSigner":
"""Generate new key pair as "ed25519" signer.
@@ -270,8 +269,8 @@
@staticmethod
def generate_rsa(
- keyid: Optional[str] = None,
- scheme: Optional[str] = "rsassa-pss-sha256",
+ keyid: str | None = None,
+ scheme: str | None = "rsassa-pss-sha256",
size: int = 3072,
) -> "CryptoSigner":
"""Generate new key pair as rsa signer.
@@ -299,7 +298,7 @@
@staticmethod
def generate_ecdsa(
- keyid: Optional[str] = None,
+ keyid: str | None = None,
) -> "CryptoSigner":
"""Generate new key pair as "ecdsa-sha2-nistp256" signer.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.1/securesystemslib/signer/_hsm_signer.py
new/securesystemslib-1.4.0/securesystemslib/signer/_hsm_signer.py
--- old/securesystemslib-1.3.1/securesystemslib/signer/_hsm_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/securesystemslib/signer/_hsm_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -210,11 +210,13 @@
if key_type is None:
key_type = PyKCS11.CKO_PUBLIC_KEY
+ cka_id_filter = list(keyid.to_bytes((keyid.bit_length() + 7) // 8 or
1, "big"))
+
keys = session.findObjects(
[
(PyKCS11.CKA_CLASS, key_type),
(PyKCS11.CKA_KEY_TYPE, PyKCS11.CKK_ECDSA),
- (PyKCS11.CKA_ID, (keyid,)),
+ (PyKCS11.CKA_ID, cka_id_filter),
]
)
if not keys:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.1/securesystemslib/signer/_signer.py
new/securesystemslib-1.4.0/securesystemslib/signer/_signer.py
--- old/securesystemslib-1.3.1/securesystemslib/signer/_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/securesystemslib/signer/_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -4,7 +4,7 @@
import logging
from abc import ABCMeta, abstractmethod
-from typing import Callable
+from collections.abc import Callable
from securesystemslib.signer._key import Key
from securesystemslib.signer._signature import Signature
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.1/securesystemslib/signer/_sigstore_signer.py
new/securesystemslib-1.4.0/securesystemslib/signer/_sigstore_signer.py
--- old/securesystemslib-1.3.1/securesystemslib/signer/_sigstore_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/securesystemslib/signer/_sigstore_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -156,6 +156,7 @@
secrets_handler: SecretsHandler | None = None,
) -> SigstoreSigner:
try:
+ from sigstore.models import ClientTrustConfig
from sigstore.oidc import IdentityToken, Issuer, detect_credential
except ImportError as e:
raise UnsupportedLibraryError(IMPORT_ERROR) from e
@@ -174,7 +175,9 @@
if not ambient:
# TODO: Restrict oauth flow to use identity/issuer from public_key
# TODO: Use secrets_handler for identity_token() secret arg
- token = Issuer.production().identity_token()
+ trust_config = ClientTrustConfig.production()
+ issuer = Issuer(trust_config.signing_config.get_oidc_url())
+ token = issuer.identity_token()
else:
credential = detect_credential()
if not credential:
@@ -233,12 +236,15 @@
key. This method always uses the interactive authentication.
"""
try:
+ from sigstore.models import ClientTrustConfig
from sigstore.oidc import Issuer
except ImportError as e:
raise UnsupportedLibraryError(IMPORT_ERROR) from e
# authenticate to get the identity and issuer
- token = Issuer.production().identity_token()
+ trust_config = ClientTrustConfig.production()
+ issuer = Issuer(trust_config.signing_config.get_oidc_url())
+ token = issuer.identity_token()
return cls.import_(token.identity, token.federated_issuer, False)
def sign(self, payload: bytes) -> Signature:
@@ -257,11 +263,12 @@
"""
try:
+ from sigstore.models import ClientTrustConfig
from sigstore.sign import SigningContext
except ImportError as e:
raise UnsupportedLibraryError(IMPORT_ERROR) from e
- context = SigningContext.production()
+ context =
SigningContext.from_trust_config(ClientTrustConfig.production())
with context.signer(self._token) as sigstore_signer:
bundle = sigstore_signer.sign_artifact(payload)
# We want to access the actual signature, see
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.3.1/tests/check_sigstore_signer.py
new/securesystemslib-1.4.0/tests/check_sigstore_signer.py
--- old/securesystemslib-1.3.1/tests/check_sigstore_signer.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/tests/check_sigstore_signer.py 2020-02-02
01:00:00.000000000 +0100
@@ -9,16 +9,10 @@
tests.
"""
-import json
-import os
-import subprocess
-import time
+import functools
import unittest
-from base64 import b64decode
-from datetime import datetime, timedelta
-from pathlib import Path
-from tempfile import TemporaryDirectory
from unittest import mock
+from urllib import request
from securesystemslib.exceptions import (
UnverifiedSignatureError,
@@ -32,73 +26,24 @@
SIGNER_FOR_URI_SCHEME[SigstoreSigner.SCHEME] = SigstoreSigner
-TEST_IDENTITY = (
-
"https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/";
- "workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main"
-)
-TEST_ISSUER = "https://token.actions.githubusercontent.com";
-
+TEST_IDENTITY = "[email protected]"
+TEST_ISSUER = "https://accounts.google.com";
+TOKEN_URL =
"https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt";
-def identity_token() -> str:
- """Return identity token for TEST_IDENTITY"""
- # following code is modified from extremely-dangerous-public-oidc-beacon
download-token.py.
- # Caching can be made smarter (to return the cached token only if it is
valid) if token
- # starts going invalid during runs
- min_validity = timedelta(seconds=5)
- max_retry_time = timedelta(minutes=5 if os.getenv("CI") else 1)
- retry_sleep_secs = 30 if os.getenv("CI") else 5
- git_url =
"https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon.git";
-
- def git_clone(url: str, dir_: str) -> None:
- base_cmd = [
- "git",
- "clone",
- "--quiet",
- "--branch",
- "current-token",
- "--depth",
- "1",
- ]
- subprocess.run(base_cmd + [url, dir_], check=True)
-
- def is_valid_at(token: str, reference_time: datetime) -> bool:
- # split token, b64 decode (with padding), parse as json, validate
expiry
- payload = token.split(".")[1]
- payload += "=" * (4 - len(payload) % 4)
- payload_json = json.loads(b64decode(payload))
-
- expiry = datetime.fromtimestamp(payload_json["exp"])
- return reference_time < expiry
-
- start_time = datetime.now()
- while datetime.now() <= start_time + max_retry_time:
- with TemporaryDirectory() as tempdir:
- git_clone(git_url, tempdir)
-
- with Path(tempdir, "oidc-token.txt").open(encoding="utf-8") as f:
- token = f.read().rstrip()
-
- if is_valid_at(token, datetime.now() + min_validity):
- return token
-
- print(
- f"Current token expires too early, retrying in {retry_sleep_secs}
seconds."
- )
- time.sleep(retry_sleep_secs)
- raise TimeoutError(f"Failed to find a valid token in {max_retry_time}")
[email protected]
+def token() -> str:
+ """Fetch and cache testing token"""
+ with request.urlopen(TOKEN_URL) as response:
+ return response.read().decode()
class TestSigstoreSigner(unittest.TestCase):
"""Test public key parsing, signature creation and verification."""
- @classmethod
- def setUpClass(cls):
- cls.token = identity_token()
-
- def test_sign(self):
+ def test_sign(self) -> None:
uri, public_key = SigstoreSigner.import_(TEST_IDENTITY, TEST_ISSUER)
- with mock.patch("sigstore.oidc.detect_credential",
return_value=self.token):
+ with mock.patch("sigstore.oidc.detect_credential",
return_value=token()):
signer = Signer.from_priv_key_uri(uri, public_key)
sig = signer.sign(b"data")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/tests/test_hsm_signer.py
new/securesystemslib-1.4.0/tests/test_hsm_signer.py
--- old/securesystemslib-1.3.1/tests/test_hsm_signer.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/tests/test_hsm_signer.py 2020-02-02
01:00:00.000000000 +0100
@@ -30,6 +30,7 @@
hsm_keyid = 1
hsm_keyid_default = 2
+ hsm_keyid_odd = 258
hsm_user_pin = "123456"
@staticmethod
@@ -37,6 +38,8 @@
"Create ecdsa key pair on hsm"
params = ECDomainParameters(name="named",
value=NamedCurve(curve.name)).dump()
+ cka_id = list(keyid.to_bytes((keyid.bit_length() + 7) // 8 or 1,
"big"))
+
public_template = [
(PyKCS11.CKA_CLASS, PyKCS11.CKO_PUBLIC_KEY),
(PyKCS11.CKA_PRIVATE, PyKCS11.CK_FALSE),
@@ -47,7 +50,7 @@
(PyKCS11.CKA_KEY_TYPE, PyKCS11.CKK_ECDSA),
(PyKCS11.CKA_EC_PARAMS, params),
(PyKCS11.CKA_LABEL, curve.name),
- (PyKCS11.CKA_ID, (keyid,)),
+ (PyKCS11.CKA_ID, cka_id),
]
private_template = [
(PyKCS11.CKA_CLASS, PyKCS11.CKO_PRIVATE_KEY),
@@ -58,7 +61,7 @@
(PyKCS11.CKA_SIGN, PyKCS11.CK_TRUE),
(PyKCS11.CKA_UNWRAP, PyKCS11.CK_FALSE),
(PyKCS11.CKA_LABEL, curve.name),
- (PyKCS11.CKA_ID, (keyid,)),
+ (PyKCS11.CKA_ID, cka_id),
]
session.generateKeyPair(
@@ -100,6 +103,7 @@
# Generate test ecdsa key pairs for curves secp256r1 and secp384r1 on
test token
cls._generate_key_pair(session, cls.hsm_keyid, SECP256R1)
cls._generate_key_pair(session, cls.hsm_keyid_default, SECP384R1)
+ cls._generate_key_pair(session, cls.hsm_keyid_odd, SECP256R1)
session.logout()
session.closeSession()
@@ -113,7 +117,7 @@
def test_hsm(self):
"""Test HSM key export and signing."""
- for hsm_keyid in [self.hsm_keyid, self.hsm_keyid_default]:
+ for hsm_keyid in [self.hsm_keyid, self.hsm_keyid_default,
self.hsm_keyid_odd]:
_, key = HSMSigner.import_(hsm_keyid, self.token_filter)
signer = HSMSigner(
hsm_keyid, self.token_filter, key, lambda sec:
self.hsm_user_pin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/tests/test_signer.py
new/securesystemslib-1.4.0/tests/test_signer.py
--- old/securesystemslib-1.3.1/tests/test_signer.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/tests/test_signer.py 2020-02-02
01:00:00.000000000 +0100
@@ -7,7 +7,7 @@
import unittest
from contextlib import suppress
from pathlib import Path
-from typing import Any, Optional
+from typing import Any
from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
from cryptography.hazmat.primitives.serialization import (
@@ -760,7 +760,7 @@
cls,
priv_key_uri: str,
public_key: Key,
- secrets_handler: Optional[SecretsHandler] = None,
+ secrets_handler: SecretsHandler | None = None,
) -> "CustomSigner":
return cls(key)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.3.1/tox.ini
new/securesystemslib-1.4.0/tox.ini
--- old/securesystemslib-1.3.1/tox.ini 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.4.0/tox.ini 2020-02-02 01:00:00.000000000 +0100
@@ -51,6 +51,8 @@
-r{toxinidir}/requirements-sigstore.txt
commands =
python -m tests.check_sigstore_signer
+passenv =
+ CI
# Check that importing securesystemslib._gpg.constants doesn't shell out.
[testenv:py-test-gpg-fails]
