Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-securesystemslib for
openSUSE:Factory checked in at 2025-09-26 22:25:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-securesystemslib (Old)
and /work/SRC/openSUSE:Factory/.python-securesystemslib.new.11973 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-securesystemslib"
Fri Sep 26 22:25:18 2025 rev:6 rq:1307338 version:1.3.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-securesystemslib/python-securesystemslib.changes
2025-02-11 21:25:03.855342165 +0100
+++
/work/SRC/openSUSE:Factory/.python-securesystemslib.new.11973/python-securesystemslib.changes
2025-09-26 22:27:08.160622570 +0200
@@ -1,0 +2,11 @@
+Fri Sep 26 08:32:13 UTC 2025 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to 1.3.0
+ * Annotate library (#970)
+ * Deprecate hash module (#977)
+ * Modernize license metadata (#942)
+ * Refactor signing scheme parsing (#981)
+ * Misc test and ci/cd improvements (#926, #953, #958, #965, #966)
+- Use Python 3.11 on SLE-15 by default
+
+-------------------------------------------------------------------
Old:
----
securesystemslib-1.2.0.tar.gz
New:
----
securesystemslib-1.3.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-securesystemslib.spec ++++++
--- /var/tmp/diff_new_pack.UtzQND/_old 2025-09-26 22:27:08.732646694 +0200
+++ /var/tmp/diff_new_pack.UtzQND/_new 2025-09-26 22:27:08.732646694 +0200
@@ -15,9 +15,9 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
-
+%{?sle15_python_module_pythons}
Name: python-securesystemslib
-Version: 1.2.0
+Version: 1.3.0
Release: 0
Summary: Cryptographic and general routines for Secure Systems Lab
License: MIT
++++++ securesystemslib-1.2.0.tar.gz -> securesystemslib-1.3.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/CHANGELOG.md
new/securesystemslib-1.3.0/CHANGELOG.md
--- old/securesystemslib-1.2.0/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.3.0/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
@@ -1,5 +1,21 @@
# Changelog
+## securesystemslib v1.3.0
+
+The `hash` module will be removed in the next major version. Consider using
+`hashlib` from the standard library directly instead.
+
+### Added
+* Annotate library (#970)
+
+### Changed
+* Deprecate hash module (#977)
+* Modernize license metadata (#942)
+
+### Internals
+* Refactor signing scheme parsing (#981)
+* Misc test and ci/cd improvements (#926, #953, #958, #965, #966)
+
## securesystemslib v1.2.0
Small release with mostly internal changes.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/PKG-INFO
new/securesystemslib-1.3.0/PKG-INFO
--- old/securesystemslib-1.2.0/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
@@ -1,16 +1,16 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
Name: securesystemslib
-Version: 1.2.0
+Version: 1.3.0
Summary: A library that provides cryptographic and general-purpose routines
for Secure Systems Lab projects at NYU
Project-URL: Homepage, https://github.com/secure-systems-lab/securesystemslib
Project-URL: Source, https://github.com/secure-systems-lab/securesystemslib
Project-URL: Issues,
https://github.com/secure-systems-lab/securesystemslib/issues
Author-email: "https://www.updateframework.com";
<[email protected]>
-License: MIT
+License-Expression: MIT
+License-File: LICENSE
Keywords: cryptography,ecdsa,ed25519,keys,rsa,signatures
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: MIT License
Classifier: Natural Language :: English
Classifier: Operating System :: MacOS :: MacOS X
Classifier: Operating System :: Microsoft :: Windows
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/mypy.ini
new/securesystemslib-1.3.0/mypy.ini
--- old/securesystemslib-1.2.0/mypy.ini 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/mypy.ini 1970-01-01 01:00:00.000000000 +0100
@@ -1,37 +0,0 @@
-[mypy]
-warn_unused_configs = True
-
-exclude = securesystemslib/_vendor
-
-# Supress error messages until enough modules
-# are type annotated
-follow_imports = silent
-
-# let's not install typeshed annotations for GCPSigner
-[mypy-google.*]
-ignore_missing_imports = True
-
-# Suppress error messages for non-annotating dependencies
-[mypy-PyKCS11.*]
-ignore_missing_imports = True
-
-[mypy-asn1crypto.*]
-ignore_missing_imports = True
-
-[mypy-sigstore_protobuf_specs.*]
-ignore_missing_imports = True
-
-[mypy-pyspx.*]
-ignore_missing_imports = True
-
-[mypy-azure.*]
-ignore_missing_imports = True
-
-[mypy-boto3.*]
-ignore_missing_imports = True
-
-[mypy-botocore.*]
-ignore_missing_imports = True
-
-[mypy-hvac.*]
-ignore_missing_imports = True
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/pyproject.toml
new/securesystemslib-1.3.0/pyproject.toml
--- old/securesystemslib-1.2.0/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
+++ new/securesystemslib-1.3.0/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
@@ -1,14 +1,12 @@
[build-system]
-# Dependabot cannot do `build-system.requires`
(dependabot/dependabot-core#8465)
-# workaround to get reproducibility and auto-updates:
-# PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
-requires = ["hatchling"]
+requires = ["hatchling==1.27.0"]
build-backend = "hatchling.build"
[project]
name = "securesystemslib"
authors = [{name = "https://www.updateframework.com";, email =
"[email protected]"}]
-license = {text = "MIT"}
+license = "MIT"
+license-files = [ "LICENSE" ]
description = "A library that provides cryptographic and general-purpose
routines for Secure Systems Lab projects at NYU"
readme = "README.md"
keywords = [
@@ -22,7 +20,6 @@
classifiers = [
"Development Status :: 4 - Beta",
"Intended Audience :: Developers",
- "License :: OSI Approved :: MIT License",
"Natural Language :: English",
"Operating System :: POSIX",
"Operating System :: POSIX :: Linux",
@@ -65,7 +62,6 @@
"/securesystemslib",
"/requirements*.txt",
"/tox.ini",
- "/mypy.ini",
"/CHANGELOG.md",
"/.coveragerc",
]
@@ -90,4 +86,43 @@
"tests/*" = [
"S", # bandit: Not running bandit on tests
"E501" # line-too-long
-]
\ No newline at end of file
+]
+
+[tool.mypy]
+warn_unused_configs = "True"
+warn_redundant_casts = "True"
+warn_unused_ignores = "True"
+warn_unreachable = "True"
+strict_equality = "True"
+disallow_untyped_defs = "True"
+show_error_codes = "True"
+
+exclude = [
+ "^securesystemslib/_vendor/",
+ "^securesystemslib/_gpg/",
+ "^securesystemslib/hash.py",
+]
+
+[[tool.mypy.overrides]]
+module = [
+ # let's not install typeshed annotations for GCPSigner
+ "google.*",
+ # Suppress error messages for non-annotating dependencies
+ "PyKCS11.*",
+ "asn1crypto.*",
+ "sigstore_protobuf_specs.*",
+ "pyspx.*",
+ "azure.*",
+ "boto3.*",
+ "botocore.*",
+ "hvac.*",
+]
+ignore_missing_imports = "True"
+
+[[tool.mypy.overrides]]
+module = [
+ "securesystemslib._gpg.*",
+ "securesystemslib._vendor.*",
+ "securesystemslib.hash",
+]
+follow_imports = "skip"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/requirements-aws.txt
new/securesystemslib-1.3.0/requirements-aws.txt
--- old/securesystemslib-1.2.0/requirements-aws.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/requirements-aws.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,2 @@
-boto3==1.35.69
-botocore==1.35.69
+boto3~=1.37.34
+botocore~=1.37.34
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/requirements-build.txt
new/securesystemslib-1.3.0/requirements-build.txt
--- old/securesystemslib-1.2.0/requirements-build.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/requirements-build.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1 @@
build==1.2.2.post1
-hatchling==1.26.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/requirements-lint.txt
new/securesystemslib-1.3.0/requirements-lint.txt
--- old/securesystemslib-1.2.0/requirements-lint.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/requirements-lint.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,3 @@
-mypy==1.13.0
-ruff==0.8.1
+mypy==1.15.0
+ruff==0.11.5
+zizmor==1.5.2
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/requirements-sigstore.txt
new/securesystemslib-1.3.0/requirements-sigstore.txt
--- old/securesystemslib-1.2.0/requirements-sigstore.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/requirements-sigstore.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1 +1 @@
-sigstore==3.5.1
+sigstore==3.6.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/requirements-test.txt
new/securesystemslib-1.3.0/requirements-test.txt
--- old/securesystemslib-1.2.0/requirements-test.txt 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/requirements-test.txt 2020-02-02
01:00:00.000000000 +0100
@@ -1,2 +1,2 @@
# additional test tools
-coverage==7.6.8
+coverage==7.8.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/securesystemslib/__init__.py
new/securesystemslib-1.3.0/securesystemslib/__init__.py
--- old/securesystemslib-1.2.0/securesystemslib/__init__.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/__init__.py 2020-02-02
01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
import logging
-__version__ = "1.2.0"
+__version__ = "1.3.0"
# Configure a basic 'securesystemslib' top-level logger with a StreamHandler
# (print to console) and the WARNING log level (print messages of type
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/_gpg/common.py
new/securesystemslib-1.3.0/securesystemslib/_gpg/common.py
--- old/securesystemslib-1.2.0/securesystemslib/_gpg/common.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/_gpg/common.py 2020-02-02
01:00:00.000000000 +0100
@@ -385,8 +385,9 @@
if not is_valid:
log.info(
- "Ignoring invalid User ID self-certificate issued "
- "by '{}'.".format(signature["keyid"])
+ "Ignoring invalid User ID self-certificate issued by
'{}'.".format(
+ signature["keyid"]
+ )
)
continue
@@ -752,11 +753,9 @@
hashed_subpackets = data[ptr : ptr + hashed_octet_count]
hashed_subpacket_info = gpg_util.parse_subpackets(hashed_subpackets)
- # Check whether we were actually able to read this much hashed octets
if len(hashed_subpackets) != hashed_octet_count: # pragma: no cover
raise ValueError(
- "This signature packet seems to be corrupted."
- "It is missing hashed octets!"
+ "Signature packet contains an unexpected amount of hashed octets"
)
ptr += hashed_octet_count
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/_gpg/eddsa.py
new/securesystemslib-1.3.0/securesystemslib/_gpg/eddsa.py
--- old/securesystemslib-1.2.0/securesystemslib/_gpg/eddsa.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/_gpg/eddsa.py 2020-02-02
01:00:00.000000000 +0100
@@ -79,8 +79,7 @@
# See 9.2. ECC Curve OID
if curve_oid != ED25519_PUBLIC_KEY_OID:
raise PacketParsingError(
- f"bad ed25519 curve OID '{curve_oid}', "
- f"expected {ED25519_PUBLIC_KEY_OID}'"
+ f"bad ed25519 curve OID '{curve_oid}', expected
{ED25519_PUBLIC_KEY_OID}'"
)
# See 13.3. EdDSA Point Format
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/securesystemslib/_gpg/util.py
new/securesystemslib-1.3.0/securesystemslib/_gpg/util.py
--- old/securesystemslib-1.2.0/securesystemslib/_gpg/util.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/_gpg/util.py 2020-02-02
01:00:00.000000000 +0100
@@ -192,7 +192,7 @@
elif length_type == 3:
raise PacketParsingError(
- "Old length " "format packets of indeterminate length are not
supported"
+ "Old length format packets of indeterminate length are not
supported"
)
else: # pragma: no cover (unreachable)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_aws_signer.py
new/securesystemslib-1.3.0/securesystemslib/signer/_aws_signer.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_aws_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_aws_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -74,7 +74,7 @@
"rsa-pkcs1v15-sha512": "RSASSA_PKCS1_V1_5_SHA_512",
}
- def __init__(self, aws_key_id: str, public_key: Key):
+ def __init__(self, aws_key_id: str, public_key: SSlibKey):
if AWS_IMPORT_ERROR:
raise UnsupportedLibraryError(AWS_IMPORT_ERROR)
@@ -84,7 +84,7 @@
self.aws_algo = self.aws_algos[self.public_key.scheme]
@property
- def public_key(self) -> Key:
+ def public_key(self) -> SSlibKey:
return self._public_key
@classmethod
@@ -94,6 +94,9 @@
public_key: Key,
secrets_handler: SecretsHandler | None = None,
) -> AWSSigner:
+ if not isinstance(public_key, SSlibKey):
+ raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
uri = parse.urlparse(priv_key_uri)
if uri.scheme != cls.SCHEME:
@@ -121,7 +124,7 @@
@classmethod
def import_(
cls, aws_key_id: str, local_scheme: str | None = None
- ) -> tuple[str, Key]:
+ ) -> tuple[str, SSlibKey]:
"""Loads a key and signer details from AWS KMS.
Returns the private key uri and the public key. This method should only
@@ -133,7 +136,7 @@
Defaults to 'rsassa-pss-sha256' if not provided and RSA.
Returns:
- Tuple[str, Key]: A tuple where the first element is a string
+ Tuple[str, SSlibKey]: A tuple where the first element is a string
representing the private key URI, and the second element is an
instance of the public key.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_azure_signer.py
new/securesystemslib-1.3.0/securesystemslib/signer/_azure_signer.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_azure_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_azure_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -2,10 +2,10 @@
from __future__ import annotations
+import hashlib
import logging
from urllib import parse
-import securesystemslib.hash as sslib_hash
from securesystemslib.exceptions import UnsupportedLibraryError
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
@@ -28,6 +28,20 @@
Encoding,
PublicFormat,
)
+
+ KEYTYPES_AND_SCHEMES = {
+ KeyCurveName.p_256: ("ecdsa", "ecdsa-sha2-nistp256"),
+ KeyCurveName.p_384: ("ecdsa", "ecdsa-sha2-nistp384"),
+ KeyCurveName.p_521: ("ecdsa", "ecdsa-sha2-nistp521"),
+ }
+
+ SIGNATURE_ALGORITHMS = {
+ "ecdsa-sha2-nistp256": SignatureAlgorithm.es256,
+ "ecdsa-sha2-nistp384": SignatureAlgorithm.es384,
+ "ecdsa-sha2-nistp521": SignatureAlgorithm.es512,
+ }
+
+
except ImportError:
AZURE_IMPORT_ERROR = (
"Signing with Azure Key Vault requires azure-identity, "
@@ -66,27 +80,28 @@
SCHEME = "azurekms"
- def __init__(self, az_key_uri: str, public_key: Key):
+ def __init__(self, az_key_uri: str, public_key: SSlibKey):
if AZURE_IMPORT_ERROR:
raise UnsupportedLibraryError(AZURE_IMPORT_ERROR)
- try:
- cred = DefaultAzureCredential()
- self.crypto_client = CryptographyClient(
- az_key_uri,
- credential=cred,
- )
- self.signature_algorithm = self._get_signature_algorithm(
- public_key,
+ if (public_key.keytype, public_key.scheme) not in
KEYTYPES_AND_SCHEMES.values():
+ logger.info("only EC keys are supported for now")
+ raise UnsupportedKeyType(
+ "Supplied key must be an EC key on curve "
+ "nistp256, nistp384, or nistp521"
)
- self.hash_algorithm = self._get_hash_algorithm(public_key)
- except UnsupportedKeyType as e:
- logger.info("Key %s has unsupported key type or unsupported
elliptic curve")
- raise e
+
+ cred = DefaultAzureCredential()
+ self.crypto_client = CryptographyClient(
+ az_key_uri,
+ credential=cred,
+ )
+ self.signature_algorithm = SIGNATURE_ALGORITHMS[public_key.scheme]
+ self.hash_algorithm = public_key.get_hash_algorithm_name()
self._public_key = public_key
@property
- def public_key(self) -> Key:
+ def public_key(self) -> SSlibKey:
return self._public_key
@staticmethod
@@ -129,52 +144,11 @@
raise e
@staticmethod
- def _get_signature_algorithm(public_key: Key) -> SignatureAlgorithm:
- """Return SignatureAlgorithm after parsing the public key"""
- if public_key.keytype != "ecdsa":
- logger.info("only EC keys are supported for now")
- raise UnsupportedKeyType("Supplied key must be an EC key")
- # Format is "ecdsa-sha2-nistp256"
- comps = public_key.scheme.split("-")
- if len(comps) != 3: # noqa: PLR2004
- raise UnsupportedKeyType("Invalid scheme found")
-
- if comps[2] == "nistp256":
- return SignatureAlgorithm.es256
- if comps[2] == "nistp384":
- return SignatureAlgorithm.es384
- if comps[2] == "nistp521":
- return SignatureAlgorithm.es512
-
- raise UnsupportedKeyType("Unsupported curve supplied by key")
-
- @staticmethod
- def _get_hash_algorithm(public_key: Key) -> str:
- """Return the hash algorithm used by the public key"""
- # Format is "ecdsa-sha2-nistp256"
- comps = public_key.scheme.split("-")
- if len(comps) != 3: # noqa: PLR2004
- raise UnsupportedKeyType("Invalid scheme found")
-
- if comps[2] == "nistp256":
- return "sha256"
- if comps[2] == "nistp384":
- return "sha384"
- if comps[2] == "nistp521":
- return "sha512"
-
- raise UnsupportedKeyType("Unsupported curve supplied by key")
-
- @staticmethod
def _get_keytype_and_scheme(crv: str) -> tuple[str, str]:
- if crv == KeyCurveName.p_256:
- return "ecdsa", "ecdsa-sha2-nistp256"
- if crv == KeyCurveName.p_384:
- return "ecdsa", "ecdsa-sha2-nistp384"
- if crv == KeyCurveName.p_521:
- return "ecdsa", "ecdsa-sha2-nistp521"
-
- raise UnsupportedKeyType("Unsupported curve supplied by key")
+ try:
+ return KEYTYPES_AND_SCHEMES[crv]
+ except KeyError:
+ raise UnsupportedKeyType("Unsupported curve supplied by key")
@classmethod
def from_priv_key_uri(
@@ -183,6 +157,9 @@
public_key: Key,
secrets_handler: SecretsHandler | None = None,
) -> AzureSigner:
+ if not isinstance(public_key, SSlibKey):
+ raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
uri = parse.urlparse(priv_key_uri)
if uri.scheme != cls.SCHEME:
@@ -192,7 +169,7 @@
return cls(az_key_uri, public_key)
@classmethod
- def import_(cls, az_vault_name: str, az_key_name: str) -> tuple[str, Key]:
+ def import_(cls, az_vault_name: str, az_key_name: str) -> tuple[str,
SSlibKey]:
"""Load key and signer details from KMS
Returns the private key uri and the public key. This method should only
@@ -245,7 +222,7 @@
Signature.
"""
- hasher = sslib_hash.digest(self.hash_algorithm)
+ hasher = hashlib.new(self.hash_algorithm)
hasher.update(payload)
digest = hasher.digest()
response = self.crypto_client.sign(self.signature_algorithm, digest)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_crypto_signer.py
new/securesystemslib-1.3.0/securesystemslib/signer/_crypto_signer.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_crypto_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_crypto_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -38,10 +38,7 @@
)
from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
from cryptography.hazmat.primitives.hashes import (
- SHA224,
SHA256,
- SHA384,
- SHA512,
HashAlgorithm,
)
from cryptography.hazmat.primitives.serialization import (
@@ -50,6 +47,9 @@
PrivateFormat,
load_pem_private_key,
)
+
+ from securesystemslib.signer._crypto_utils import get_hash_algorithm
+
except ImportError:
CRYPTO_IMPORT_ERROR = "'pyca/cryptography' library required"
@@ -77,21 +77,6 @@
_ECDSA_KEYTYPES = ["ecdsa", "ecdsa-sha2-nistp256"]
-def _get_hash_algorithm(name: str) -> "HashAlgorithm":
- """Helper to return hash algorithm for name."""
- algorithm: HashAlgorithm
- if name == "sha224":
- algorithm = SHA224()
- if name == "sha256":
- algorithm = SHA256()
- if name == "sha384":
- algorithm = SHA384()
- if name == "sha512":
- algorithm = SHA512()
-
- return algorithm
-
-
def _get_rsa_padding(name: str, hash_algorithm: "HashAlgorithm") ->
"AsymmetricPadding":
"""Helper to return rsa signature padding for name."""
padding: AsymmetricPadding
@@ -155,9 +140,12 @@
if not isinstance(private_key, RSAPrivateKey):
raise ValueError(f"invalid rsa key: {type(private_key)}")
- padding_name, hash_name = public_key.scheme.split("-")[1:]
- hash_algo = _get_hash_algorithm(hash_name)
+ hash_name = public_key.get_hash_algorithm_name()
+ hash_algo = get_hash_algorithm(hash_name)
+
+ padding_name = public_key.get_padding_name()
padding = _get_rsa_padding(padding_name, hash_algo)
+
self._sign_args = _RSASignArgs(padding, hash_algo)
self._private_key = private_key
@@ -187,7 +175,7 @@
self._public_key = public_key
@property
- def public_key(self) -> Key:
+ def public_key(self) -> SSlibKey:
return self._public_key
@property
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_crypto_utils.py
new/securesystemslib-1.3.0/securesystemslib/signer/_crypto_utils.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_crypto_utils.py
1970-01-01 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_crypto_utils.py
2020-02-02 01:00:00.000000000 +0100
@@ -0,0 +1,23 @@
+"""Signer utils for internal use that require pyca/cryptography."""
+
+from cryptography.hazmat.primitives.hashes import (
+ SHA224,
+ SHA256,
+ SHA384,
+ SHA512,
+ HashAlgorithm,
+)
+
+
+def get_hash_algorithm(name: str) -> HashAlgorithm:
+ """Helper to return hash algorithm object for name."""
+ if name == "sha224":
+ return SHA224()
+ elif name == "sha256":
+ return SHA256()
+ elif name == "sha384":
+ return SHA384()
+ elif name == "sha512":
+ return SHA512()
+
+ raise ValueError(f"Unsupported hash algorithm: {name}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_gcp_signer.py
new/securesystemslib-1.3.0/securesystemslib/signer/_gcp_signer.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_gcp_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_gcp_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -2,10 +2,10 @@
from __future__ import annotations
+import hashlib
import logging
from urllib import parse
-import securesystemslib.hash as sslib_hash
from securesystemslib import exceptions
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signer import SecretsHandler, Signature, Signer
@@ -17,6 +17,49 @@
try:
from google.cloud import kms
from google.cloud.kms_v1.types import CryptoKeyVersion
+
+ KEYTYPES_AND_SCHEMES = {
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
+ "ecdsa",
+ "ecdsa-sha2-nistp256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
+ "ecdsa",
+ "ecdsa-sha2-nistp384",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
+ "rsa",
+ "rsassa-pss-sha256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
+ "rsa",
+ "rsassa-pss-sha256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
+ "rsa",
+ "rsassa-pss-sha256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
+ "rsa",
+ "rsassa-pss-sha512",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256:
(
+ "rsa",
+ "rsa-pkcs1v15-sha256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256:
(
+ "rsa",
+ "rsa-pkcs1v15-sha256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256:
(
+ "rsa",
+ "rsa-pkcs1v15-sha256",
+ ),
+ CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512:
(
+ "rsa",
+ "rsa-pkcs1v15-sha512",
+ ),
+ }
except ImportError:
GCP_IMPORT_ERROR = (
"google-cloud-kms library required to sign with Google Cloud keys."
@@ -56,17 +99,23 @@
SCHEME = "gcpkms"
- def __init__(self, gcp_keyid: str, public_key: Key):
+ def __init__(self, gcp_keyid: str, public_key: SSlibKey):
if GCP_IMPORT_ERROR:
raise exceptions.UnsupportedLibraryError(GCP_IMPORT_ERROR)
- self.hash_algorithm = self._get_hash_algorithm(public_key)
+ if (public_key.keytype, public_key.scheme) not in
KEYTYPES_AND_SCHEMES.values():
+ raise exceptions.UnsupportedAlgorithmError(
+ f"Unsupported key ({public_key.keytype}/{public_key.scheme}) "
+ f"in key {public_key.keyid}"
+ )
+
+ self.hash_algorithm = public_key.get_hash_algorithm_name()
self.gcp_keyid = gcp_keyid
self._public_key = public_key
self.client = kms.KeyManagementServiceClient()
@property
- def public_key(self) -> Key:
+ def public_key(self) -> SSlibKey:
return self._public_key
@classmethod
@@ -76,6 +125,9 @@
public_key: Key,
secrets_handler: SecretsHandler | None = None,
) -> GCPSigner:
+ if not isinstance(public_key, SSlibKey):
+ raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
uri = parse.urlparse(priv_key_uri)
if uri.scheme != cls.SCHEME:
@@ -84,7 +136,7 @@
return cls(uri.path, public_key)
@classmethod
- def import_(cls, gcp_keyid: str) -> tuple[str, Key]:
+ def import_(cls, gcp_keyid: str) -> tuple[str, SSlibKey]:
"""Load key and signer details from KMS
Returns the private key uri and the public key. This method should only
@@ -97,7 +149,7 @@
request = {"name": gcp_keyid}
kms_pubkey = client.get_public_key(request)
try:
- keytype, scheme = cls._get_keytype_and_scheme(kms_pubkey.algorithm)
+ keytype, scheme = KEYTYPES_AND_SCHEMES[kms_pubkey.algorithm]
except KeyError as e:
raise exceptions.UnsupportedAlgorithmError(
f"{kms_pubkey.algorithm} is not a supported signing algorithm"
@@ -109,80 +161,6 @@
return f"{cls.SCHEME}:{gcp_keyid}", public_key
- @staticmethod
- def _get_keytype_and_scheme(algorithm: int) -> tuple[str, str]:
- """Return keytype and scheme for the KMS algorithm enum"""
- keytypes_and_schemes = {
- CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256: (
- "ecdsa",
- "ecdsa-sha2-nistp256",
- ),
- CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384: (
- "ecdsa",
- "ecdsa-sha2-nistp384",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256: (
- "rsa",
- "rsassa-pss-sha256",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_3072_SHA256: (
- "rsa",
- "rsassa-pss-sha256",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256: (
- "rsa",
- "rsassa-pss-sha256",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA512: (
- "rsa",
- "rsassa-pss-sha512",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256: (
- "rsa",
- "rsa-pkcs1v15-sha256",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256: (
- "rsa",
- "rsa-pkcs1v15-sha256",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256: (
- "rsa",
- "rsa-pkcs1v15-sha256",
- ),
-
CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA512: (
- "rsa",
- "rsa-pkcs1v15-sha512",
- ),
- }
- return keytypes_and_schemes[algorithm]
-
- @staticmethod
- def _get_hash_algorithm(public_key: Key) -> str:
- """Helper function to return payload hash algorithm used for this
key"""
-
- # TODO: This could be a public abstract method on Key so that GCPSigner
- # would not be tied to a specific Key implementation -- not all keys
- # have a pre hash algorithm though.
- if public_key.keytype == "rsa":
- # hash algorithm is encoded as last scheme portion
- algo = public_key.scheme.split("-")[-1]
- elif public_key.keytype in [
- "ecdsa",
- "ecdsa-sha2-nistp256",
- "ecdsa-sha2-nistp384",
- ]:
- # nistp256 uses sha-256, nistp384 uses sha-384
- bits = public_key.scheme.split("-nistp")[-1]
- algo = f"sha{bits}"
- else:
- raise exceptions.UnsupportedAlgorithmError(
- f"Unsupported key type {public_key.keytype} in key
{public_key.keyid}"
- )
-
- # trigger UnsupportedAlgorithm if appropriate
- _ = sslib_hash.digest(algo)
- return algo
-
def sign(self, payload: bytes) -> Signature:
"""Signs payload with Google Cloud KMS.
@@ -198,7 +176,7 @@
# NOTE: request and response can contain CRC32C of the digest/sig:
# Verifying could be useful but would require another dependency...
- hasher = sslib_hash.digest(self.hash_algorithm)
+ hasher = hashlib.new(self.hash_algorithm)
hasher.update(payload)
digest = {self.hash_algorithm: hasher.digest()}
request = {"name": self.gcp_keyid, "digest": digest}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_hsm_signer.py
new/securesystemslib-1.3.0/securesystemslib/signer/_hsm_signer.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_hsm_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_hsm_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -8,12 +8,12 @@
from __future__ import annotations
import binascii
+import hashlib
from collections.abc import Iterator
from contextlib import contextmanager
from urllib import parse
from securesystemslib.exceptions import UnsupportedLibraryError
-from securesystemslib.hash import digest
from securesystemslib.signer._key import Key, SSlibKey
from securesystemslib.signer._signature import Signature
from securesystemslib.signer._signer import SecretsHandler, Signer
@@ -64,7 +64,7 @@
_PYKCS11LIB = None
-def PYKCS11LIB(): # noqa: N802
+def PYKCS11LIB(): # type: ignore[no-untyped-def] # noqa: N802
"""Pseudo-singleton to load shared library using PYKCS11LIB envvar only
once."""
global _PYKCS11LIB # noqa: PLW0603
if _PYKCS11LIB is None:
@@ -128,7 +128,7 @@
self,
hsm_keyid: int,
token_filter: dict[str, str],
- public_key: Key,
+ public_key: SSlibKey,
pin_handler: SecretsHandler,
):
if CRYPTO_IMPORT_ERROR:
@@ -149,7 +149,7 @@
self.pin_handler = pin_handler
@property
- def public_key(self) -> Key:
+ def public_key(self) -> SSlibKey:
return self._public_key
@staticmethod
@@ -370,7 +370,7 @@
Signature.
"""
- hasher = digest(algorithm=f"sha{self.public_key.scheme[-3:]}")
+ hasher = hashlib.new(name=f"sha{self.public_key.scheme[-3:]}")
hasher.update(payload)
pin = self.pin_handler(self.SECRETS_HANDLER_MSG)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_key.py
new/securesystemslib-1.3.0/securesystemslib/signer/_key.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_key.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_key.py 2020-02-02
01:00:00.000000000 +0100
@@ -26,6 +26,7 @@
SECP256R1,
SECP384R1,
SECP521R1,
+ EllipticCurve,
EllipticCurvePublicKey,
)
from cryptography.hazmat.primitives.asymmetric.ed25519 import (
@@ -42,7 +43,6 @@
)
from cryptography.hazmat.primitives.asymmetric.types import PublicKeyTypes
from cryptography.hazmat.primitives.hashes import (
- SHA224,
SHA256,
SHA384,
SHA512,
@@ -53,6 +53,9 @@
PublicFormat,
load_pem_public_key,
)
+
+ from securesystemslib.signer._crypto_utils import get_hash_algorithm
+
except ImportError:
CRYPTO_IMPORT_ERROR = "'pyca/cryptography' library required"
@@ -215,6 +218,45 @@
raise ValueError(f"public key string required for scheme {scheme}")
super().__init__(keyid, keytype, scheme, keyval, unrecognized_fields)
+ def get_hash_algorithm_name(self) -> str:
+ """Get hash algorithm name for scheme. Raise
+ ValueError if the scheme is not a supported pre-hash scheme."""
+ if self.scheme in [
+ "rsassa-pss-sha224",
+ "rsassa-pss-sha256",
+ "rsassa-pss-sha384",
+ "rsassa-pss-sha512",
+ "rsa-pkcs1v15-sha224",
+ "rsa-pkcs1v15-sha256",
+ "rsa-pkcs1v15-sha384",
+ "rsa-pkcs1v15-sha512",
+ "ecdsa-sha2-nistp256",
+ "ecdsa-sha2-nistp384",
+ ]:
+ return f"sha{self.scheme[-3:]}"
+
+ elif self.scheme == "ecdsa-sha2-nistp521":
+ return "sha512"
+
+ raise ValueError(f"method not supported for scheme {self.scheme}")
+
+ def get_padding_name(self) -> str:
+ """Get padding name for scheme. Raise
+ ValueError if the scheme is not a supported padded rsa scheme."""
+ if self.scheme in [
+ "rsassa-pss-sha224",
+ "rsassa-pss-sha256",
+ "rsassa-pss-sha384",
+ "rsassa-pss-sha512",
+ "rsa-pkcs1v15-sha224",
+ "rsa-pkcs1v15-sha256",
+ "rsa-pkcs1v15-sha384",
+ "rsa-pkcs1v15-sha512",
+ ]:
+ return self.scheme.split("-")[1]
+
+ raise ValueError(f"method not supported for scheme {self.scheme}")
+
@classmethod
def from_dict(cls, keyid: str, key_dict: dict[str, Any]) -> SSlibKey:
keytype, scheme, keyval = cls._from_dict(key_dict)
@@ -308,21 +350,6 @@
return SSlibKey(keyid, keytype, scheme, keyval)
@staticmethod
- def _get_hash_algorithm(name: str) -> HashAlgorithm:
- """Helper to return hash algorithm for name."""
- algorithm: HashAlgorithm
- if name == "sha224":
- algorithm = SHA224()
- if name == "sha256":
- algorithm = SHA256()
- if name == "sha384":
- algorithm = SHA384()
- if name == "sha512":
- algorithm = SHA512()
-
- return algorithm
-
- @staticmethod
def _get_rsa_padding(name: str, hash_algorithm: HashAlgorithm) ->
AsymmetricPadding:
"""Helper to return rsa signature padding for name."""
padding: AsymmetricPadding
@@ -346,11 +373,13 @@
def _verify(self, signature: bytes, data: bytes) -> None:
"""Helper to verify signature using pyca/cryptography (default)."""
- def _validate_type(key, type_):
+ def _validate_type(key: object, type_: type) -> None:
if not isinstance(key, type_):
raise ValueError(f"bad key {key} for {self.scheme}")
- def _validate_curve(key, curve):
+ def _validate_curve(
+ key: EllipticCurvePublicKey, curve: type[EllipticCurve]
+ ) -> None:
if not isinstance(key.curve, curve):
raise ValueError(f"bad curve {key.curve} for {self.scheme}")
@@ -368,8 +397,9 @@
]:
key = cast(RSAPublicKey, self._crypto_key())
_validate_type(key, RSAPublicKey)
- padding_name, hash_name = self.scheme.split("-")[1:]
- hash_algorithm = self._get_hash_algorithm(hash_name)
+ hash_name = self.get_hash_algorithm_name()
+ hash_algorithm = get_hash_algorithm(hash_name)
+ padding_name = self.get_padding_name()
padding = self._get_rsa_padding(padding_name, hash_algorithm)
key.verify(signature, data, padding, hash_algorithm)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_utils.py
new/securesystemslib-1.3.0/securesystemslib/signer/_utils.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_utils.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_utils.py
2020-02-02 01:00:00.000000000 +0100
@@ -2,14 +2,14 @@
from __future__ import annotations
+import hashlib
from typing import Any
from securesystemslib.exceptions import FormatError
from securesystemslib.formats import encode_canonical
-from securesystemslib.hash import digest
-def compute_default_keyid(keytype: str, scheme, keyval: dict[str, Any]) -> str:
+def compute_default_keyid(keytype: str, scheme: str, keyval: dict[str, Any])
-> str:
"""Return sha256 hexdigest of the canonical json of the key."""
data: str | None = encode_canonical(
{
@@ -22,6 +22,5 @@
byte_data: bytes = data.encode("utf-8")
else:
raise FormatError("Failed to encode data into canonical json")
- hasher = digest("sha256")
- hasher.update(byte_data)
- return hasher.hexdigest()
+
+ return hashlib.sha256(byte_data).hexdigest()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/securesystemslib/signer/_vault_signer.py
new/securesystemslib-1.3.0/securesystemslib/signer/_vault_signer.py
--- old/securesystemslib-1.2.0/securesystemslib/signer/_vault_signer.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/signer/_vault_signer.py
2020-02-02 01:00:00.000000000 +0100
@@ -40,7 +40,7 @@
SCHEME = "hv"
- def __init__(self, hv_key_name: str, public_key: Key, hv_key_version: int):
+ def __init__(self, hv_key_name: str, public_key: SSlibKey, hv_key_version:
int):
if VAULT_IMPORT_ERROR:
raise UnsupportedLibraryError(VAULT_IMPORT_ERROR)
@@ -76,7 +76,7 @@
return Signature(self.public_key.keyid, sig)
@property
- def public_key(self) -> Key:
+ def public_key(self) -> SSlibKey:
return self._public_key
@classmethod
@@ -86,6 +86,9 @@
public_key: Key,
secrets_handler: SecretsHandler | None = None,
) -> VaultSigner:
+ if not isinstance(public_key, SSlibKey):
+ raise ValueError(f"Expected SSlibKey for {priv_key_uri}")
+
uri = parse.urlparse(priv_key_uri)
if uri.scheme != cls.SCHEME:
@@ -96,7 +99,7 @@
return cls(name, public_key, int(version))
@classmethod
- def import_(cls, hv_key_name: str) -> tuple[str, Key]:
+ def import_(cls, hv_key_name: str) -> tuple[str, SSlibKey]:
"""Load key and signer details from HashiCorp Vault.
If multiple keys exist in the vault under the passed name, only the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/securesystemslib/storage.py
new/securesystemslib-1.3.0/securesystemslib/storage.py
--- old/securesystemslib-1.2.0/securesystemslib/storage.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/securesystemslib/storage.py 2020-02-02
01:00:00.000000000 +0100
@@ -25,7 +25,7 @@
from abc import ABCMeta, abstractmethod
from collections.abc import Iterator
from contextlib import contextmanager
-from typing import IO, BinaryIO
+from typing import IO, Any, BinaryIO
from securesystemslib import exceptions
@@ -189,7 +189,7 @@
# objects.
_instance = None
- def __new__(cls, *args, **kwargs):
+ def __new__(cls, *args: Any, **kwargs: Any) -> FilesystemBackend:
if cls._instance is None:
cls._instance = object.__new__(cls, *args, **kwargs)
return cls._instance
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/tests/check_public_interfaces_gpg.py
new/securesystemslib-1.3.0/tests/check_public_interfaces_gpg.py
--- old/securesystemslib-1.2.0/tests/check_public_interfaces_gpg.py
2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/tests/check_public_interfaces_gpg.py
2020-02-02 01:00:00.000000000 +0100
@@ -39,9 +39,9 @@
class TestPublicInterfacesGPG(unittest.TestCase):
@classmethod
def setUpClass(cls):
- assert (
- not have_gpg()
- ), "please remove GnuPG from your environment to run this test case"
+ assert not have_gpg(), (
+ "please remove GnuPG from your environment to run this test case"
+ )
def test_gpg_functions(self):
"""Signing, key export and util functions must raise on missing gpg."""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/securesystemslib-1.2.0/tests/gpg_keyrings/dsa/gpg.conf
new/securesystemslib-1.3.0/tests/gpg_keyrings/dsa/gpg.conf
--- old/securesystemslib-1.2.0/tests/gpg_keyrings/dsa/gpg.conf 1970-01-01
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/tests/gpg_keyrings/dsa/gpg.conf 2020-02-02
01:00:00.000000000 +0100
@@ -0,0 +1 @@
+default-key C242A830DAAF1C2BEF604A9EF033A3A3E267B3B1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/tests/test_gpg.py
new/securesystemslib-1.3.0/tests/test_gpg.py
--- old/securesystemslib-1.2.0/tests/test_gpg.py 2020-02-02
01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/tests/test_gpg.py 2020-02-02
01:00:00.000000000 +0100
@@ -693,7 +693,7 @@
)
self.assertTrue(
expected == str(ctx.exception),
- f"\nexpected: {expected}" "\ngot: {ctx.exception}",
+ f"\nexpected: {expected}\ngot: {{ctx.exception}}",
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/securesystemslib-1.2.0/tox.ini
new/securesystemslib-1.3.0/tox.ini
--- old/securesystemslib-1.2.0/tox.ini 2020-02-02 01:00:00.000000000 +0100
+++ new/securesystemslib-1.3.0/tox.ini 2020-02-02 01:00:00.000000000 +0100
@@ -69,7 +69,14 @@
ruff format --diff {[testenv:lint]lint_dirs}
ruff check {[testenv:lint]lint_dirs}
- mypy {[testenv:lint]lint_dirs}
+ mypy securesystemslib
+ zizmor --persona=pedantic -q .
+
+[testenv:fix]
+deps = {[testenv:lint]deps}
+commands =
+ ruff check --fix {[testenv:lint]lint_dirs}
+ ruff format {[testenv:lint]lint_dirs}
# Requires docker running
[testenv:local-aws-kms]
