Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-sigstore for openSUSE:Factory
checked in at 2026-01-27 16:16:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-sigstore (Old)
and /work/SRC/openSUSE:Factory/.python-sigstore.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-sigstore"
Tue Jan 27 16:16:13 2026 rev:5 rq:1329469 version:4.2.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-sigstore/python-sigstore.changes
2025-11-10 19:19:30.757806967 +0100
+++
/work/SRC/openSUSE:Factory/.python-sigstore.new.1928/python-sigstore.changes
2026-01-27 16:16:14.415852324 +0100
@@ -1,0 +2,17 @@
+Tue Jan 27 09:04:41 UTC 2026 - Nico Krapp <[email protected]>
+
+- Update to 4.2.0 (fixes CVE-2026-24408, bsc#1257303)
+ * Add state validation to OIDC flow to prevent Cross-site request forgery
+ during OIDC authorization (GHSA-hm8f-75xx-w2vr)
+ * verification now ensures that artifact digest documented in bundle and the
+ real digest match (this is a bundle consistency check: bundle signature was
+ always verified over real digest)
+ * Fix issue with Signed Certificate Timestamp parsing where extensions
+ were not allowed by sigstore-python
+ * Update supported public key algorithms
+ * trust: Update embedded TUF root
+ * Removed support for Python 3.9 as it is end-of-life
+ * Removed unused nonce in Oauth flow
+- drop fix-ecparam-testing.patch and nofail-neg-test.patch, merged upstream
+
+-------------------------------------------------------------------
Old:
----
fix-ecparam-testing.patch
nofail-neg-test.patch
sigstore-4.1.0.tar.gz
New:
----
sigstore-4.2.0.tar.gz
----------(Old B)----------
Old: * Removed unused nonce in Oauth flow
- drop fix-ecparam-testing.patch and nofail-neg-test.patch, merged upstream
Old: * Removed unused nonce in Oauth flow
- drop fix-ecparam-testing.patch and nofail-neg-test.patch, merged upstream
----------(Old E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-sigstore.spec ++++++
--- /var/tmp/diff_new_pack.2ZMP9u/_old 2026-01-27 16:16:15.099880846 +0100
+++ /var/tmp/diff_new_pack.2ZMP9u/_new 2026-01-27 16:16:15.103881012 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-sigstore
#
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,20 +24,14 @@
%{?sle15_python_module_pythons}
Name: python-sigstore
-Version: 4.1.0
+Version: 4.2.0
Release: 0
Summary: A tool for signing Python package distributions
License: Apache-2.0
URL: https://github.com/sigstore/sigstore-python
Source0:
https://github.com/sigstore/sigstore-python/archive/v%{version}.tar.gz#/sigstore-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM fix-ecparam-testing.patch
gh#sigstore/sigstore-python#1603 [email protected]
-# Update supported public key algorithms
-Patch0: fix-ecparam-testing.patch
-# PATCH-FIX-UPSTREAM nofail-neg-test.patch gh#sigstore/sigstore-python!1605
[email protected]
-# Try to not fail negative key tests if support is not there
-Patch1: nofail-neg-test.patch
BuildRequires: %{python_module PyJWT >= 2.1}
-BuildRequires: %{python_module base >= 3.9}
+BuildRequires: %{python_module base >= 3.10}
BuildRequires: %{python_module cryptography >= 42}
BuildRequires: %{python_module flit-core >= 3.2}
BuildRequires: %{python_module id >= 1.1.0}
++++++ sigstore-4.1.0.tar.gz -> sigstore-4.2.0.tar.gz ++++++
++++ 2274 lines of diff (skipped)
