Hello community, here is the log from the commit of package python-PyJWT for openSUSE:Factory checked in at 2019-11-04 17:07:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-PyJWT (Old) and /work/SRC/openSUSE:Factory/.python-PyJWT.new.2990 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-PyJWT" Mon Nov 4 17:07:38 2019 rev:20 rq:741201 version:1.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-PyJWT/python-PyJWT.changes 2019-03-12 09:44:25.407825191 +0100 +++ /work/SRC/openSUSE:Factory/.python-PyJWT.new.2990/python-PyJWT.changes 2019-11-04 17:07:40.116342035 +0100 @@ -1,0 +2,6 @@ +Fri Oct 18 20:24:47 UTC 2019 - Stefan BrĂ¼ns <[email protected]> + +- Fix build with ecdsa >= 0.13.3, #447 + * 0001-Catch-BadSignatureError-raised-by-ecdsa-0.13.3.patch + +------------------------------------------------------------------- New: ---- 0001-Catch-BadSignatureError-raised-by-ecdsa-0.13.3.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-PyJWT.spec ++++++ --- /var/tmp/diff_new_pack.GT16er/_old 2019-11-04 17:07:40.724342684 +0100 +++ /var/tmp/diff_new_pack.GT16er/_new 2019-11-04 17:07:40.728342688 +0100 @@ -25,6 +25,8 @@ Group: Development/Languages/Python URL: https://github.com/progrium/pyjwt Source: https://files.pythonhosted.org/packages/source/P/PyJWT/PyJWT-%{version}.tar.gz +# PATCH-FIX-UPSTREAM https://github.com/jpadilla/pyjwt/pull/448.patch +Patch0: 0001-Catch-BadSignatureError-raised-by-ecdsa-0.13.3.patch BuildRequires: %{python_module cryptography >= 1.4} BuildRequires: %{python_module ecdsa} BuildRequires: %{python_module pytest} @@ -44,6 +46,7 @@ %prep %setup -q -n PyJWT-%{version} +%patch0 -p1 %build %python_build ++++++ 0001-Catch-BadSignatureError-raised-by-ecdsa-0.13.3.patch ++++++ >From e4563939727281cd982c3a228ea80e4b8bf69997 Mon Sep 17 00:00:00 2001 From: StefanBruens <[email protected]> Date: Fri, 18 Oct 2019 22:10:16 +0200 Subject: [PATCH] Catch BadSignatureError raised by ecdsa 0.13.3 on verification errors The new ecdsa no longer uses AssertionError when the signature is too long. This happens in the test suite, where "123" is appended to the signature. Fixes #447 --- jwt/contrib/algorithms/py_ecdsa.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/jwt/contrib/algorithms/py_ecdsa.py b/jwt/contrib/algorithms/py_ecdsa.py index bf0dea5..adb33f4 100644 --- a/jwt/contrib/algorithms/py_ecdsa.py +++ b/jwt/contrib/algorithms/py_ecdsa.py @@ -56,5 +56,7 @@ def verify(self, msg, key, sig): try: return key.verify(sig, msg, hashfunc=self.hash_alg, sigdecode=ecdsa.util.sigdecode_string) - except AssertionError: + # ecdsa <= 0.13.2 raises AssertionError on too long signatures, + # ecdsa >= 0.13.3 raises BadSignatureError for verification errors. + except (AssertionError, ecdsa.BadSignatureError): return False
