Fix proposal for Oracular. ** Description changed:
+ [ Impact ] + + * python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed. + * Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method. + * The new API to use is _RSAPublicKey.verify, which takes one extra parameter. + + [ Test Plan ] + + I was looking for a shorter way, but apparently cepces test suite does + not cover this case and testing requires a AD controler. + + The issue happens occurs when following [1]. When a configured system + tries to automatically enroll certificates it fails with the following + messages: + + Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature + Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( + Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ + Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' + + + [1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-autoenrolment/ + + [ Where problems could occur ] + + * There is a very unlikely possibility that this fix will make cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, as this is where the "verify" method has been introduced. I don't think this is a concern, because probably there would be much more incompatibilities with a version over 8 years old. + * Due to the fact that "verifier" has been deprecated for quite some time, I believe requiring version at least 37 with this patch (containing only "verify") would make sense in this case. + + [ Other Info ] + + Original bug description: + This bug is opened to include the upstream patch by falencastro into the Ubuntu release of python3-cepces Upstream Bug report: https://github.com/openSUSE/cepces/issues/41 python-cryptography version 37.0.0 dropped the `signer` and `verifier` methods, replacing them with `sign` and `verify` (https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700--- 2022-04-26) From upstream report: 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center OS: Ubuntu 24.04.1 LTS Python: 3.12.3 python3-cepces: 0.3.7-0ubuntu1 python3-cryptography: 41.0.7-4ubuntu0.1 3) What you expected to happen: AD enrolled systems can auto-fetch certificates from the server 4) What happened instead: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' - PR with fix: https://github.com/openSUSE/cepces/pull/42 ** Patch added: "oracular.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+attachment/5823763/+files/oracular.debdiff ** Description changed: [ Impact ] - * python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed. + * python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed. * Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method. * The new API to use is _RSAPublicKey.verify, which takes one extra parameter. + * Versions prior to Noble still have cryptography with the .verifier method. [ Test Plan ] I was looking for a shorter way, but apparently cepces test suite does not cover this case and testing requires a AD controler. The issue happens occurs when following [1]. When a configured system tries to automatically enroll certificates it fails with the following messages: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' - - [1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-autoenrolment/ + [1] + https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates- + autoenrolment/ [ Where problems could occur ] - * There is a very unlikely possibility that this fix will make cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, as this is where the "verify" method has been introduced. I don't think this is a concern, because probably there would be much more incompatibilities with a version over 8 years old. + * There is a very unlikely possibility that this fix will make cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, as this is where the "verify" method has been introduced. I don't think this is a concern, because probably there would be much more incompatibilities with a version over 8 years old. * Due to the fact that "verifier" has been deprecated for quite some time, I believe requiring version at least 37 with this patch (containing only "verify") would make sense in this case. [ Other Info ] Original bug description: This bug is opened to include the upstream patch by falencastro into the Ubuntu release of python3-cepces Upstream Bug report: https://github.com/openSUSE/cepces/issues/41 python-cryptography version 37.0.0 dropped the `signer` and `verifier` methods, replacing them with `sign` and `verify` (https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700--- 2022-04-26) From upstream report: 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center OS: Ubuntu 24.04.1 LTS Python: 3.12.3 python3-cepces: 0.3.7-0ubuntu1 python3-cryptography: 41.0.7-4ubuntu0.1 3) What you expected to happen: AD enrolled systems can auto-fetch certificates from the server 4) What happened instead: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' PR with fix: https://github.com/openSUSE/cepces/pull/42 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2081751 Title: python3-cepces calling deprecated method from cryptography To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
