Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-awscrt for openSUSE:Factory checked in at 2026-06-10 15:51:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-awscrt (Old) and /work/SRC/openSUSE:Factory/.python-awscrt.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-awscrt" Wed Jun 10 15:51:17 2026 rev:8 rq:1358239 version:0.34.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-awscrt/python-awscrt.changes 2026-05-27 16:15:49.786137050 +0200 +++ /work/SRC/openSUSE:Factory/.python-awscrt.new.2375/python-awscrt.changes 2026-06-10 15:51:43.253156899 +0200 @@ -1,0 +2,6 @@ +Mon Jun 8 13:04:04 UTC 2026 - John Paul Adrian Glaubitz <[email protected]> + +- Update to version 0.34.1 + * Drop python 3.8 and 3.13t in manylinux2014 by @sfod in (#745) + +------------------------------------------------------------------- Old: ---- awscrt-0.33.0.tar.gz New: ---- awscrt-0.34.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-awscrt.spec ++++++ --- /var/tmp/diff_new_pack.RTBVSt/_old 2026-06-10 15:51:44.749218895 +0200 +++ /var/tmp/diff_new_pack.RTBVSt/_new 2026-06-10 15:51:44.749218895 +0200 @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-awscrt -Version: 0.33.0 +Version: 0.34.1 Release: 0 Summary: A common runtime for AWS Python projects License: Apache-2.0 ++++++ awscrt-0.33.0.tar.gz -> awscrt-0.34.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/.github/workflows/ci.yml new/aws-crt-python-0.34.1/.github/workflows/ci.yml --- old/aws-crt-python-0.33.0/.github/workflows/ci.yml 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/.github/workflows/ci.yml 2026-06-04 18:40:25.000000000 +0200 @@ -7,7 +7,7 @@ - 'docs' env: - BUILDER_VERSION: v0.9.92 + BUILDER_VERSION: v0.9.93 BUILDER_SOURCE: releases BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net PACKAGE_NAME: aws-crt-python @@ -50,13 +50,11 @@ - x64 - x86 python: - - cp38-cp38 - cp39-cp39 - cp310-cp310 - cp311-cp311 - cp312-cp312 - cp313-cp313 - - cp313-cp313t - cp314-cp314 - cp314-cp314t permissions: @@ -78,13 +76,11 @@ fail-fast: false matrix: python: - - cp38-cp38 - cp39-cp39 - cp310-cp310 - cp311-cp311 - cp312-cp312 - cp313-cp313 - - cp313-cp313t - cp314-cp314 - cp314-cp314t permissions: @@ -333,6 +329,42 @@ permissions: id-token: write # This is required for requesting the JWT steps: + - name: configure AWS credentials (containers) + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ env.CRT_CI_ROLE }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + - name: Build ${{ env.PACKAGE_NAME }} + consumers + run: | + python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')" + chmod a+x builder + ./builder build -p ${{ env.PACKAGE_NAME }} + + macos-s2n: + runs-on: macos-14 # latest + env: + AWS_CRT_USE_NON_FIPS_TLS_13: 1 + permissions: + id-token: write # This is required for requesting the JWT + steps: + - name: configure AWS credentials (containers) + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ env.CRT_CI_ROLE }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + - name: Build ${{ env.PACKAGE_NAME }} + consumers + run: | + python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')" + chmod a+x builder + ./builder build -p ${{ env.PACKAGE_NAME }} + + macos-x64-s2n: + runs-on: macos-14-large # latest + env: + AWS_CRT_USE_NON_FIPS_TLS_13: 1 + permissions: + id-token: write # This is required for requesting the JWT + steps: - name: configure AWS credentials (containers) uses: aws-actions/configure-aws-credentials@v4 with: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/README.md new/aws-crt-python-0.34.1/README.md --- old/aws-crt-python-0.33.0/README.md 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/README.md 2026-06-04 18:40:25.000000000 +0200 @@ -49,9 +49,33 @@ For an example, see `test.test_s3.py.S3RequestTest.test_fork_workaround` . -## Mac-Only TLS Behavior +## macOS TLS Configuration -Please note that on Mac, once a private key is used with a certificate, that certificate-key pair is imported into the Mac Keychain. All subsequent uses of that certificate will use the stored private key and ignore anything passed in programmatically. Beginning in v0.6.2, when a stored private key from the Keychain is used, the following will be logged at the "info" log level: +By default on macOS, aws-crt-python uses Apple Secure Transport for TLS. This provides FIPS-compliant cryptography +and integration with the macOS Keychain (e.g. PKCS#12 credentials), but is limited to TLS 1.2. + +To enable TLS 1.3 on macOS, set the environment variable: + +``` +export AWS_CRT_USE_NON_FIPS_TLS_13=1 +``` + +This switches the TLS backend from Apple Secure Transport to [s2n-tls](https://github.com/aws/s2n-tls) with +[aws-lc](https://github.com/aws/aws-lc) as the underlying libcrypto. The tradeoffs are: + +| | Secure Transport (default) | s2n-tls (`AWS_CRT_USE_NON_FIPS_TLS_13=1`) | +|---|---|---| +| TLS versions | Up to TLS 1.2 | Up to TLS 1.3 | +| FIPS compliance | Yes | No | +| macOS Keychain integration | Yes (PKCS#12, system certs) | No | + +This variable is checked at runtime and only affects macOS. It has no effect on Linux (which always uses s2n-tls) +or Windows (which always uses Schannel). Both TLS backends are compiled into the binary when building on macOS; +the environment variable selects which one is used. + +### Keychain Behavior + +Please note that on Mac, once a private key is used with a certificate, that certificate-key pair is imported into the Mac Keychain. All subsequent uses of that certificate will use the stored private key and ignore anything passed in programmatically. Beginning in v0.6.2, when a stored private key from the Keychain is used, the following will be logged at the "info" log level: ``` static: certificate has an existing certificate-key pair that was previously imported into the Keychain. Using key from Keychain instead of the one provided. @@ -110,8 +134,9 @@ ### OpenSSL and LibCrypto aws-crt-python does not use OpenSSL for TLS. -On Apple and Windows devices, the OS's default TLS library is used. -On Unix devices, [s2n-tls](https://github.com/aws/s2n-tls) is used. +On Windows, the OS's default TLS library (Schannel) is used. +On Apple (macOS), both Secure Transport and s2n-tls are compiled in; the backend is selected at runtime (see [macOS TLS Configuration](#macos-tls-configuration) below). +On other Unix devices, [s2n-tls](https://github.com/aws/s2n-tls) is used. But s2n-tls uses libcrypto, the cryptography math library bundled with OpenSSL. To simplify installation, aws-crt-python has its own copy of libcrypto. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/continuous-delivery/build-wheels-manylinux2014-aarch64.sh new/aws-crt-python-0.34.1/continuous-delivery/build-wheels-manylinux2014-aarch64.sh --- old/aws-crt-python-0.33.0/continuous-delivery/build-wheels-manylinux2014-aarch64.sh 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/continuous-delivery/build-wheels-manylinux2014-aarch64.sh 2026-06-04 18:40:25.000000000 +0200 @@ -4,9 +4,6 @@ /opt/python/cp39-cp39/bin/python ./continuous-delivery/update-version.py -/opt/python/cp38-cp38/bin/python -m build -auditwheel repair --plat manylinux2014_aarch64 dist/awscrt-*cp38*.whl - /opt/python/cp39-cp39/bin/python -m build auditwheel repair --plat manylinux2014_aarch64 dist/awscrt-*cp39*.whl @@ -23,8 +20,6 @@ auditwheel repair --plat manylinux2014_aarch64 dist/awscrt-*cp313*.whl # The free-threaded build does not currently support the Limited C API or the stable ABI. Built them separately -/opt/python/cp313-cp313t/bin/python -m build -auditwheel repair --plat manylinux2014_aarch64 dist/awscrt-*cp313t*.whl /opt/python/cp314-cp314t/bin/python -m build auditwheel repair --plat manylinux2014_aarch64 dist/awscrt-*cp314t*.whl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/continuous-delivery/build-wheels-manylinux2014-x86_64.sh new/aws-crt-python-0.34.1/continuous-delivery/build-wheels-manylinux2014-x86_64.sh --- old/aws-crt-python-0.33.0/continuous-delivery/build-wheels-manylinux2014-x86_64.sh 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/continuous-delivery/build-wheels-manylinux2014-x86_64.sh 2026-06-04 18:40:25.000000000 +0200 @@ -4,9 +4,6 @@ /opt/python/cp39-cp39/bin/python ./continuous-delivery/update-version.py -/opt/python/cp38-cp38/bin/python -m build -auditwheel repair --plat manylinux2014_x86_64 dist/awscrt-*cp38*.whl - /opt/python/cp39-cp39/bin/python -m build auditwheel repair --plat manylinux2014_x86_64 dist/awscrt-*cp39*.whl @@ -23,8 +20,6 @@ auditwheel repair --plat manylinux2014_x86_64 dist/awscrt-*cp313*.whl # The free-threaded build does not currently support the Limited C API or the stable ABI. Built them separately -/opt/python/cp313-cp313t/bin/python -m build -auditwheel repair --plat manylinux2014_x86_64 dist/awscrt-*cp313t*.whl /opt/python/cp314-cp314t/bin/python -m build auditwheel repair --plat manylinux2014_x86_64 dist/awscrt-*cp314t*.whl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/crt/CMakeLists.txt new/aws-crt-python-0.34.1/crt/CMakeLists.txt --- old/aws-crt-python-0.33.0/crt/CMakeLists.txt 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/crt/CMakeLists.txt 2026-06-04 18:40:25.000000000 +0200 @@ -32,9 +32,10 @@ string(REPLACE "-g" "-g1" CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO}") string(REPLACE "-g" "-g1" CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO}") -# On Unix we use S2N for TLS and AWS-LC crypto. -# (On Windows and Apple we use the default OS libraries) -if ((UNIX AND NOT APPLE) OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) +# On Linux and BSD, we use S2N for TLS and AWS-LC crypto. +# On Windows, we use the default OS libraries. +# On Apple, we use the default OS libraries by default, but support S2N usage. +if (UNIX OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE) option(USE_OPENSSL "Set this if you want to use your system's OpenSSL compatible libcrypto" OFF) include(AwsPrebuildDependency) @@ -48,7 +49,7 @@ -DCMAKE_BUILD_TYPE=RelWithDebInfo # Use the same build type as the rest of the project ) - if (APPLE OR WIN32) + if (WIN32) # Libcrypto implementations typically have several chunky pregenerated tables that add a lot # to artifact size. We dont really need them for ed25519 case on win/mac, so favor # smaller binary over perf here. @@ -72,7 +73,10 @@ endif() -if(UNIX AND NOT APPLE) +# Build s2n-tls on all Unix platforms (Linux, BSD, macOS). +# On macOS (Darwin), both Secure Transport and s2n are built; the TLS backend +# is selected at runtime via the AWS_CRT_USE_NON_FIPS_TLS_13 environment variable. +if(UNIX) # prebuild s2n-tls. aws_prebuild_dependency( DEPENDENCY_NAME S2N @@ -80,6 +84,11 @@ CMAKE_ARGUMENTS -DUNSAFE_TREAT_WARNINGS_AS_ERRORS=OFF -DBUILD_TESTING=OFF + # On Intel Macs, Homebrew installs to /usr/local, which is in the default + # system header search path. Without this flag, s2n picks up Homebrew's OpenSSL + # headers instead of the bundled aws-lc headers. Not needed on ARM where Homebrew + # uses /opt/homebrew (not in default search paths), but harmless to set everywhere. + -DCMAKE_NO_SYSTEM_FROM_IMPORTED=ON ) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/setup.py new/aws-crt-python-0.34.1/setup.py --- old/aws-crt-python-0.33.0/setup.py 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/setup.py 2026-06-04 18:40:25.000000000 +0200 @@ -301,7 +301,7 @@ # aws-lc produces libcrypto.a AWS_LIBS.append(AwsLib('aws-lc', libname='crypto')) -if sys.platform != 'darwin' and sys.platform != 'win32': +if sys.platform != 'win32': AWS_LIBS.append(AwsLib('s2n')) AWS_LIBS.append(AwsLib('aws-c-common')) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/test/test_mqtt5.py new/aws-crt-python-0.34.1/test/test_mqtt5.py --- old/aws-crt-python-0.33.0/test/test_mqtt5.py 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/test/test_mqtt5.py 2026-06-04 18:40:25.000000000 +0200 @@ -5,6 +5,7 @@ from awscrt import mqtt5, io, http, exceptions from test import test_retry_wrapper, NativeResourceTest import os +import sys import unittest import uuid import time @@ -303,6 +304,38 @@ def test_direct_connect_mutual_tls(self): test_retry_wrapper(self._test_direct_connect_mutual_tls) + def _test_direct_connect_mutual_tls13(self): + input_host_name = _get_env_variable("AWS_TEST_MQTT5_IOT_CORE_TLS13_HOST") + input_cert = _get_env_variable("AWS_TEST_MQTT5_IOT_CORE_RSA_CERT") + input_key = _get_env_variable("AWS_TEST_MQTT5_IOT_CORE_RSA_KEY") + + client_options = mqtt5.ClientOptions( + host_name=input_host_name, + port=8883 + ) + tls_ctx_options = io.TlsContextOptions.create_client_with_mtls_from_path( + input_cert, + input_key + ) + client_options.tls_ctx = io.ClientTlsContext(tls_ctx_options) + + callbacks = Mqtt5TestCallbacks() + client = self._create_client(client_options=client_options, callbacks=callbacks) + client.start() + + # On macOS with Secure Transport (the default), TLS 1.3 is not supported, + # so the connection to a TLS-1.3-only host must fail. + if sys.platform == 'darwin' and not os.environ.get('AWS_CRT_USE_NON_FIPS_TLS_13'): + callbacks.future_connection_failure.result(TIMEOUT) + else: + callbacks.future_connection_success.result(TIMEOUT) + + client.stop() + callbacks.future_stopped.result(TIMEOUT) + + def test_direct_connect_mutual_tls13(self): + test_retry_wrapper(self._test_direct_connect_mutual_tls13) + def _test_direct_connect_http_proxy_tls(self): input_host_name = _get_env_variable("AWS_TEST_MQTT5_DIRECT_MQTT_TLS_HOST") input_port = int(_get_env_variable("AWS_TEST_MQTT5_DIRECT_MQTT_TLS_PORT")) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/test/test_mqtt5_credentials.py new/aws-crt-python-0.34.1/test/test_mqtt5_credentials.py --- old/aws-crt-python-0.33.0/test/test_mqtt5_credentials.py 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/test/test_mqtt5_credentials.py 2026-06-04 18:40:25.000000000 +0200 @@ -130,6 +130,9 @@ client.stop() callbacks.future_stopped.result(TIMEOUT) + # When AWS_CRT_USE_NON_FIPS_TLS_13 is set, the TLS backend on macOS switches from + # Secure Transport to s2n-tls, which doesn't support PKCS#12. + @unittest.skipIf(os.environ.get('AWS_CRT_USE_NON_FIPS_TLS_13'), "PKCS12 not supported with non-FIPS TLS 1.3") def test_mqtt5_cred_pkcs12(self): test_retry_wrapper(self._test_mqtt5_cred_pkcs12) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-crt-python-0.33.0/test/test_mqtt_credentials.py new/aws-crt-python-0.34.1/test/test_mqtt_credentials.py --- old/aws-crt-python-0.33.0/test/test_mqtt_credentials.py 2026-05-22 19:12:54.000000000 +0200 +++ new/aws-crt-python-0.34.1/test/test_mqtt_credentials.py 2026-06-04 18:40:25.000000000 +0200 @@ -46,6 +46,9 @@ connection.connect().result(TIMEOUT) connection.disconnect().result(TIMEOUT) + # When AWS_CRT_USE_NON_FIPS_TLS_13 is set, the TLS backend on macOS switches from + # Secure Transport to s2n-tls, which doesn't support PKCS#12. + @unittest.skipIf(os.environ.get('AWS_CRT_USE_NON_FIPS_TLS_13'), "PKCS12 not supported with non-FIPS TLS 1.3") def test_mqtt311_cred_pkcs12(self): test_retry_wrapper(self._test_mqtt311_cred_pkcs12)
