Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-rfc3161-client for
openSUSE:Factory checked in at 2026-01-27 16:17:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-rfc3161-client (Old)
and /work/SRC/openSUSE:Factory/.python-rfc3161-client.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-rfc3161-client"
Tue Jan 27 16:17:36 2026 rev:4 rq:1329395 version:1.0.5
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-rfc3161-client/python-rfc3161-client.changes
2025-06-23 15:07:07.142354750 +0200
+++
/work/SRC/openSUSE:Factory/.python-rfc3161-client.new.1928/python-rfc3161-client.changes
2026-01-27 16:17:40.927413900 +0100
@@ -1,0 +2,10 @@
+Tue Jan 27 01:37:15 UTC 2026 - Steve Kowalik <[email protected]>
+
+- Update to 1.0.5:
+ * Bump pyca/cryptography dependency upper bound to version 47
+ * Timestamps are now verified with the timestamp time as reference time
+ like the RFC says: this means that the certificate chain no longer needs
+ to be valid at current time, it is enough for it to have been valid at
+ timestamp time
+
+-------------------------------------------------------------------
Old:
----
rfc3161_client-1.0.3.tar.gz
New:
----
rfc3161_client-1.0.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-rfc3161-client.spec ++++++
--- /var/tmp/diff_new_pack.owTW9k/_old 2026-01-27 16:17:42.715488377 +0100
+++ /var/tmp/diff_new_pack.owTW9k/_new 2026-01-27 16:17:42.723488711 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-rfc3161-client
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
%{?sle15_python_module_pythons}
Name: python-rfc3161-client
-Version: 1.0.3
+Version: 1.0.5
Release: 0
Summary: Python library implementing the Time-Stamp Protocol (TSP)
described in RFC 3161
License: Apache-2.0
@@ -37,7 +37,6 @@
BuildRequires: %{python_module devel}
BuildRequires: %{python_module maturin >= 1.7}
BuildRequires: %{python_module pip}
-BuildRequires: %{python_module wheel}
BuildRequires: python-rpm-macros
BuildRequires: cargo >= 1.56.0
++++++ rfc3161_client-1.0.3.tar.gz -> rfc3161_client-1.0.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/.github/workflows/CI.yml
new/rfc3161_client-1.0.5/.github/workflows/CI.yml
--- old/rfc3161_client-1.0.3/.github/workflows/CI.yml 2025-06-20
17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/.github/workflows/CI.yml 2025-09-23
12:43:36.000000000 +0200
@@ -21,12 +21,12 @@
runs-on: ubuntu-latest
name: sdists
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- name: Install the latest version of uv
- uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 #
v6.3.0
+ uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 #
v6.7.0
with:
enable-cache: true
cache-dependency-glob: pyproject.toml
@@ -50,16 +50,16 @@
- target: aarch64
- target: armv7
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #
v5
+ - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #
v5
with:
python-version: 3.x
- name: Build wheels
- uses: PyO3/maturin-action@35be3186fc8e037e329f06b68dcd807d83dcc6dc # v1
+ uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1
with:
target: ${{ matrix.platform.target }}
args: --release --out dist --find-interpreter
@@ -92,16 +92,16 @@
- target: aarch64
- target: armv7
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #
v5
+ - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #
v5
with:
python-version: 3.x
- name: Build wheels
- uses: PyO3/maturin-action@35be3186fc8e037e329f06b68dcd807d83dcc6dc # v1
+ uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1
with:
target: ${{ matrix.platform.target }}
args: --release --out dist --find-interpreter
@@ -125,16 +125,16 @@
- {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE:
'x86_64-pc-windows-msvc'}
name: ${{ matrix.WINDOWS.WINDOWS }}
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- - uses:
actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+ - uses:
actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
name: rfc3161-sdist
- name: Install the latest version of uv
- uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 #
v6.3.0
+ uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 #
v6.7.0
with:
enable-cache: true
cache-dependency-glob: pyproject.toml
@@ -142,12 +142,12 @@
# We cannot use `uv python install` because it doesn't allow to install
python
# version for another architecture
- name: Setup python
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #
v5.6.0
+ uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #
v6.0.0
with:
python-version: 3.x
architecture: ${{ matrix.WINDOWS.ARCH }}
- - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+ - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: stable
target: ${{ matrix.WINDOWS.RUST_TRIPLE }}
@@ -199,16 +199,16 @@
- runner: macos-14
target: aarch64
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #
v5
+ - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #
v5
with:
python-version: 3.x
- name: Build wheels
- uses: PyO3/maturin-action@35be3186fc8e037e329f06b68dcd807d83dcc6dc # v1
+ uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1
env:
# Do not build OpenSSL on MacOS, since it's already installed
# and we don't need to cross-compile.
@@ -238,12 +238,12 @@
# Used to publish to PyPI with Trusted Publishing.
id-token: write
steps:
- - uses:
actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+ - uses:
actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v4
with:
path: dist/
merge-multiple: true
- name: Publish distributions
- uses:
pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+ uses:
pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
attestations: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/.github/workflows/lint.yml
new/rfc3161_client-1.0.5/.github/workflows/lint.yml
--- old/rfc3161_client-1.0.3/.github/workflows/lint.yml 2025-06-20
17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/.github/workflows/lint.yml 2025-09-23
12:43:36.000000000 +0200
@@ -10,22 +10,22 @@
lint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #
v5
+ - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #
v5
with:
python-version-file: pyproject.toml
- name: Setup rust
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+ uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
components: rustfmt
toolchain: 1.81.0
- name: Install the latest version of uv
- uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 #
v6.3.0
+ uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 #
v6.7.0
with:
enable-cache: true
cache-dependency-glob: pyproject.toml
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/.github/workflows/tests.yml
new/rfc3161_client-1.0.5/.github/workflows/tests.yml
--- old/rfc3161_client-1.0.3/.github/workflows/tests.yml 2025-06-20
17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/.github/workflows/tests.yml 2025-09-23
12:43:36.000000000 +0200
@@ -23,12 +23,12 @@
runs-on: ${{ matrix.platform }}
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- name: Install the latest version of uv and set the python version
- uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 #
v6.3.0
+ uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 #
v6.7.0
with:
enable-cache: true
cache-dependency-glob: pyproject.toml
@@ -53,12 +53,12 @@
runs-on: windows-latest
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
persist-credentials: false
- name: Install the latest version of uv and set the python version
- uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1 #
v6.3.0
+ uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 #
v6.7.0
with:
enable-cache: true
cache-dependency-glob: pyproject.toml
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/.github/workflows/zizmor.yml
new/rfc3161_client-1.0.5/.github/workflows/zizmor.yml
--- old/rfc3161_client-1.0.3/.github/workflows/zizmor.yml 2025-06-20
17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/.github/workflows/zizmor.yml 2025-09-23
12:43:36.000000000 +0200
@@ -17,12 +17,12 @@
actions: read
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@v5
with:
persist-credentials: false
- name: Install the latest version of uv
- uses: astral-sh/setup-uv@445689ea25e0de0a23313031f5fe577c74ae45a1
+ uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4
- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/CHANGELOG.md
new/rfc3161_client-1.0.5/CHANGELOG.md
--- old/rfc3161_client-1.0.3/CHANGELOG.md 2025-06-20 17:58:34.000000000
+0200
+++ new/rfc3161_client-1.0.5/CHANGELOG.md 2025-09-23 12:43:36.000000000
+0200
@@ -7,6 +7,21 @@
## [Unreleased]
+## [1.0.5] - 2025-09-23
+
+### Changed
+
+- Bump `pyca/cryptography` dependency upper bound to version 47
+
+## [1.0.4] - 2025-08-11
+
+### Changed
+
+- Timestamps are now verified with the timestamp time as reference time like
the RFC
+ says: this means that the certificate chain no longer needs to be valid at
current
+ time, it is enough for it to have been valid at timestamp time
+ ([#174](https://github.com/trailofbits/rfc3161-client/pull/174))
+
## [1.0.3] - 2025-06-20
### Fixed
@@ -129,7 +144,9 @@
This is the first alpha release of `rfc3161-client`.
-[Unreleased]:
https://github.com/trailofbits/rfc3161-client/compare/v1.0.3...HEAD
+[Unreleased]:
https://github.com/trailofbits/rfc3161-client/compare/v1.0.5...HEAD
+[1.0.5]: https://github.com/trailofbits/rfc3161-client/compare/v1.0.4...v1.0.5
+[1.0.4]: https://github.com/trailofbits/rfc3161-client/compare/v1.0.3...v1.0.4
[1.0.3]: https://github.com/trailofbits/rfc3161-client/compare/v1.0.2...v1.0.3
[1.0.2]: https://github.com/trailofbits/rfc3161-client/compare/v1.0.1...v1.0.2
[1.0.1]: https://github.com/trailofbits/rfc3161-client/compare/v1.0.0...v1.0.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/PKG-INFO
new/rfc3161_client-1.0.5/PKG-INFO
--- old/rfc3161_client-1.0.3/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
+++ new/rfc3161_client-1.0.5/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: rfc3161-client
-Version: 1.0.3
+Version: 1.0.5
Classifier: Development Status :: 5 - Production/Stable
Classifier: Programming Language :: Rust
Classifier: Programming Language :: Python :: 3
@@ -9,12 +9,12 @@
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Typing :: Typed
-Requires-Dist: cryptography>=43,<46
+Requires-Dist: cryptography>=43,<47
Requires-Dist: pytest ; extra == 'test'
Requires-Dist: pytest-cov ; extra == 'test'
Requires-Dist: pretend ; extra == 'test'
Requires-Dist: coverage[toml] ; extra == 'test'
-Requires-Dist: ruff>=0.7,<0.13 ; extra == 'lint'
+Requires-Dist: ruff>=0.7,<0.14 ; extra == 'lint'
Requires-Dist: interrogate ; extra == 'lint'
Requires-Dist: mypy ; extra == 'lint'
Requires-Dist: types-requests ; extra == 'lint'
@@ -25,7 +25,6 @@
Provides-Extra: lint
Provides-Extra: dev
License-File: LICENSE
-Author: Trail of Bits <[email protected]>
Author-email: Trail of Bits <[email protected]>
Requires-Python: >=3.9
Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/pyproject.toml
new/rfc3161_client-1.0.5/pyproject.toml
--- old/rfc3161_client-1.0.3/pyproject.toml 2025-06-20 17:58:34.000000000
+0200
+++ new/rfc3161_client-1.0.5/pyproject.toml 2025-09-23 12:43:36.000000000
+0200
@@ -13,16 +13,16 @@
]
# Maturin does not support dynamic fields
# So we keep the version number here instead of __init__
-version = "1.0.3"
+version = "1.0.5"
readme = "README.md"
license = { file = "LICENSE" }
authors = [{ name = "Trail of Bits", email = "[email protected]" }]
-dependencies = ["cryptography>=43,<46"]
+dependencies = ["cryptography>=43,<47"]
[project.optional-dependencies]
doc = []
test = ["pytest", "pytest-cov", "pretend", "coverage[toml]"]
-lint = ["ruff >= 0.7,< 0.13", "interrogate", "mypy", "types-requests"]
+lint = ["ruff >= 0.7,< 0.14", "interrogate", "mypy", "types-requests"]
dev = ["rfc3161-client[test,lint,doc]", "maturin>=1.7,<2.0"]
[project.urls]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/rust/src/lib.rs
new/rfc3161_client-1.0.5/rust/src/lib.rs
--- old/rfc3161_client-1.0.3/rust/src/lib.rs 2025-06-20 17:58:34.000000000
+0200
+++ new/rfc3161_client-1.0.5/rust/src/lib.rs 2025-09-23 12:43:36.000000000
+0200
@@ -1,6 +1,7 @@
pub mod name;
pub mod util;
+use openssl::x509::verify::X509VerifyParam;
use pyo3::{exceptions::PyValueError, prelude::*};
use sha2::Digest;
use std::collections::hash_map::DefaultHasher;
@@ -709,10 +710,11 @@
}
#[pyo3::pyfunction]
-#[pyo3(signature = (sig, certs))]
+#[pyo3(signature = (sig, verification_time, certs))]
fn pkcs7_verify(
py: pyo3::Python<'_>,
sig: &[u8],
+ verification_time: pyo3::Py<pyo3::types::PyDateTime>,
certs: Vec<pyo3::Py<pyo3::types::PyBytes>>,
) -> pyo3::PyResult<()> {
let p7 = openssl::pkcs7::Pkcs7::from_der(sig).map_err(|e| {
@@ -739,6 +741,30 @@
})?;
}
+ // Set verification time, set purpose to TIMESTAMP_SIGN
+ let verification_time_i64 = verification_time
+ .bind(py)
+ .call_method0(pyo3::intern!(py, "timestamp"))?
+ .extract::<f64>()? as i64;
+
+ let mut params = X509VerifyParam::new().map_err(|e| {
+ pyo3::exceptions::PyValueError::new_err(format!(
+ "Unable to create X509VerifyParam: {:?}",
+ e
+ ))
+ })?;
+ // openssl time parameter is a time_t: 32 bit platforms may have issues
+ let native_verification_time =
verification_time_i64.try_into().map_err(|e| {
+ pyo3::exceptions::PyValueError::new_err(format!(
+ "Unable to handle verification time using platform native
time_t: {}",
+ e
+ ))
+ })?;
+ params.set_time(native_verification_time);
+ b.set_param(¶ms).map_err(|e| {
+ pyo3::exceptions::PyValueError::new_err(format!("Unable to set
verify param: {:?}", e))
+ })?;
+
b.set_purpose(openssl::x509::X509PurposeId::TIMESTAMP_SIGN)
.map_err(|e| {
pyo3::exceptions::PyValueError::new_err(format!(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rfc3161_client-1.0.3/src/rfc3161_client/_rust/verify/__init__.pyi
new/rfc3161_client-1.0.5/src/rfc3161_client/_rust/verify/__init__.pyi
--- old/rfc3161_client-1.0.3/src/rfc3161_client/_rust/verify/__init__.pyi
2025-06-20 17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/src/rfc3161_client/_rust/verify/__init__.pyi
2025-09-23 12:43:36.000000000 +0200
@@ -1,4 +1,7 @@
+from datetime import datetime
+
def pkcs7_verify(
sig: bytes,
+ verification_time: datetime,
certs: list[bytes],
) -> None: ...
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/src/rfc3161_client/verify.py
new/rfc3161_client-1.0.5/src/rfc3161_client/verify.py
--- old/rfc3161_client-1.0.3/src/rfc3161_client/verify.py 2025-06-20
17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/src/rfc3161_client/verify.py 2025-09-23
12:43:36.000000000 +0200
@@ -5,14 +5,18 @@
import abc
import hashlib
from copy import copy
+from typing import TYPE_CHECKING
import cryptography.x509
-from cryptography.hazmat.primitives._serialization import Encoding
+from cryptography.hazmat.primitives.serialization import Encoding
from rfc3161_client._rust import verify as _rust_verify
from rfc3161_client.errors import VerificationError
from rfc3161_client.tsp import PKIStatus, TimeStampRequest, TimeStampResponse
+if TYPE_CHECKING:
+ from datetime import datetime
+
# See
https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml
SHA256_OID = "2.16.840.1.101.3.4.2.1"
SHA384_OID = "2.16.840.1.101.3.4.2.2"
@@ -333,24 +337,32 @@
cert.public_bytes(Encoding.DER) for cert in self._intermediates
)
+ # Provide the timestamp gen_time as the PKCS7 verification time: the
certificates only
+ # need to be valid at timestamp time, not currently.
p7 = tsp_response.time_stamp_token()
+ tsp_time = tsp_response.tst_info.gen_time
try:
- self._verify_signed_data(p7, verification_certificate)
+ self._verify_signed_data(p7, tsp_time, verification_certificate)
except ValueError as e:
msg = f"Error while verifying certificates: {e}"
raise VerificationError(msg)
return True
- def _verify_signed_data(self, sig: bytes, certificates: set[bytes]) ->
None:
+ def _verify_signed_data(
+ self, sig: bytes, verification_time: datetime, certificates: set[bytes]
+ ) -> None:
"""Verify signed data.
This function verifies that the bytes used in a signature are signed
by a certificate
- trusted in the `certificates` list.
+ trusted in the `certificates` list. The certificates are verified to
be valid at
+ given verification time.
+
The function does not return anything, but raises an exception if the
verification fails.
:param sig: Bytes of a PKCS7 object. This must be in DER format and
will be unserialized.
+ :param timestamp: Verification time.
:param certificates: A list of trusted certificates to verify the
response against.
:raise: ValueError if the signature verification fails.
"""
- return _rust_verify.pkcs7_verify(sig, list(certificates))
+ return _rust_verify.pkcs7_verify(sig, verification_time,
list(certificates))
Binary files old/rfc3161_client-1.0.3/test/fixtures/sigstore.mock/payload and
new/rfc3161_client-1.0.5/test/fixtures/sigstore.mock/payload differ
Binary files
old/rfc3161_client-1.0.3/test/fixtures/sigstore.mock/response-expired.tsr and
new/rfc3161_client-1.0.5/test/fixtures/sigstore.mock/response-expired.tsr differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rfc3161_client-1.0.3/test/fixtures/sigstore.mock/ts_chain.pem
new/rfc3161_client-1.0.5/test/fixtures/sigstore.mock/ts_chain.pem
--- old/rfc3161_client-1.0.3/test/fixtures/sigstore.mock/ts_chain.pem
1970-01-01 01:00:00.000000000 +0100
+++ new/rfc3161_client-1.0.5/test/fixtures/sigstore.mock/ts_chain.pem
2025-09-23 12:43:36.000000000 +0200
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE-----
+MIIBujCCAWGgAwIBAgIBAjAKBggqhkjOPQQDAzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2swHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAuMRQwEgYDVQQDEwt0c2Egc2lnbmluZzEWMBQGA1UEChMNc2lnc3RvcmUubW9jazBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGCOIXjk6za2Ttu3pRRPMp363TzIpLbUZG3vrySkOdBum38EN1soS6UcMMKIXpQwJvMUcyeep2LCGt1R4r1b6ZijeDB2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMB0GA1UdDgQWBBQ/FFxk7FUxt/oE8lDZEF0s7kasuDAfBgNVHSMEGDAWgBQ/FFxk7FUxt/oE8lDZEF0s7kasuDAKBggqhkjOPQQDAwNHADBEAiBTGRrvbrkBKFb4ThHLmK9ij3BQjq53KmciBLiZBb7rYgIgIPQjgE48/ZtlNQZ7zNQ9Ei32y37lesyuw0pASj1VRdA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBnTCCAUSgAwIBAgIBATAKBggqhkjOPQQDAzAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2swHhcNMjMwMTAxMDAwMDAwWhcNMjQwMTAxMDAwMDAwWjAmMQwwCgYDVQQDEwN0c2ExFjAUBgNVBAoTDXNpZ3N0b3JlLm1vY2swWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARgjiF45Os2tk7bt6UUTzKd+t08yKS21GRt768kpDnQbpt/BDdbKEulHDDCiF6UMCbzFHMnnqdiwhrdUeK9W+mYo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUPxRcZOxVMbf6BPJQ2RBdLO5GrLgwHwYDVR0jBBgwFoAUPxRcZOxVMbf6BPJQ2RBdLO5GrLgwCgYIKoZIzj0EAwMDRwAwRAIgLO7QL1l8uJt9ceNQ3Yq65chp6XamVMf7kFPY5h7Bif8CIFQJP12/f4ghv1ywAiUlr39JkSs+CK64mtsJcpjczc/s
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rfc3161_client-1.0.3/test/test_verify.py
new/rfc3161_client-1.0.5/test/test_verify.py
--- old/rfc3161_client-1.0.3/test/test_verify.py 2025-06-20
17:58:34.000000000 +0200
+++ new/rfc3161_client-1.0.5/test/test_verify.py 2025-09-23
12:43:36.000000000 +0200
@@ -1,3 +1,4 @@
+from datetime import datetime
from pathlib import Path
from typing import Any, cast
@@ -216,6 +217,7 @@
pretend.stub(
signed_data=ts_response.signed_data,
time_stamp_token=lambda: b"",
+ tst_info=ts_response.tst_info,
)
)
@@ -494,3 +496,46 @@
with pytest.raises(VerificationError, match="signature failure"):
verifier.verify_message(ts_response, b"hello")
+
+
+def test_verify_succeeds_even_if_cert_is_currently_expired() -> None:
+ """Ensure that a timestamp is considered valid even if it is expired
+ at verification time (as long as the full certificate
+ chain was valid at timestamp time).
+
+ The test asset comes from sigstore-conformance test suite:
+
+ https://github.com/trailofbits/rfc3161-client/issues/171
+ """
+ cert_path = _FIXTURE / "sigstore.mock" / "ts_chain.pem"
+ tsr_path = _FIXTURE / "sigstore.mock" / "response-expired.tsr"
+ payload_path = _FIXTURE / "sigstore.mock" / "payload"
+
+ certificates =
cryptography.x509.load_pem_x509_certificates(cert_path.read_bytes())
+ verifier = (
+ VerifierBuilder()
+ .add_root_certificate(certificates[-1])
+ .tsa_certificate(certificates[0])
+ .build()
+ )
+
+ ts_response = decode_timestamp_response(tsr_path.read_bytes())
+
+ # timestamp verifies because timestamp time is within certificate validity
window
+ # (even though currently the certificate chain is expired)
+ assert verifier.verify_message(ts_response, payload_path.read_bytes())
+
+ # same timestamp fails to verify if timestamp time is mocked to be outside
validity window
+ with pytest.raises(VerificationError, match="certificate has expired"):
+ verifier.verify_message(
+ pretend.stub(
+ signed_data=ts_response.signed_data,
+ time_stamp_token=ts_response.time_stamp_token,
+ tst_info=pretend.stub(
+ message_imprint=ts_response.tst_info.message_imprint,
+ gen_time=datetime(2025, 7, 21),
+ ),
+ status=ts_response.status,
+ ),
+ payload_path.read_bytes(),
+ )
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/python-rfc3161-client/vendor.tar.zst
/work/SRC/openSUSE:Factory/.python-rfc3161-client.new.1928/vendor.tar.zst
differ: char 7, line 1
