commit bc9b10c8bc04be8414a7160d68e4443b8e7b78f8cbd2757541c69fa708297740 Author: Markéta Machová Date: Tue Jan 28 10:35:05 2025 +0000 - Update to 0.10.0 * Added support for macOS 10.13 and earlier using the `SecTrustEvaluate` API. Note that this API doesn't return fine-grained errors like `SecTrustEvaluateWithError` (requires macOS 10.14+). * Added `SSLContext.set_default_verify_paths()` method. * Changed method for disabling hostname verification for macOS and Windows. Previously would ignore hostname verification errors if `SSLContext.check_hostname` was `False`. Now for both macOS and Windows the certificate verification policy is configured to not check certificate hostname. This should have no effect on users. - from version 0.9.2 * Fixed an issue where implementations supporting Python 3.10 but not the peer certificate chain APIs would fail during the handshake instead of when importing the `truststore` module. The module now raises an error immediately instead of on first handshake. This was added for the GraalPy implementation specifically, but there may be others. - Skip test_wrong_host_succeeds_with_hostname_verification_disabled test OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-truststore?expand=0&rev=11 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/no-network-testing.patch b/no-network-testing.patch new file mode 100644 index 0000000..7a2a395 --- /dev/null +++ b/no-network-testing.patch @@ -0,0 +1,113 @@ +--- + pyproject.toml | 3 +++ + test_truststore.py | 7 +++---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +Index: truststore-0.8.0/pyproject.toml +=================================================================== +--- truststore-0.8.0.orig/pyproject.toml ++++ truststore-0.8.0/pyproject.toml +@@ -26,6 +26,9 @@ classifiers = [ + ] + dynamic = ["version", "description"] + requires-python = ">= 3.10" ++markers = [ ++ "network: test case requires network connection", ++] + + [project.urls] + Source = "https://github.com/sethmlarson/truststore" +@@ -38,3 +41,6 @@ filterwarnings = [ + # See: aio-libs/aiohttp#7545 + "ignore:.*datetime.utcfromtimestamp().*:DeprecationWarning", + ] ++markers = [ ++ "network: test case requires network connection", ++] +Index: truststore-0.8.0/tests/conftest.py +=================================================================== +--- truststore-0.8.0.orig/tests/conftest.py ++++ truststore-0.8.0/tests/conftest.py +@@ -18,7 +18,7 @@ SUBPROCESS_TIMEOUT = 5 + original_SSLContext = ssl.SSLContext + + +-successful_hosts = pytest.mark.parametrize("host", ["example.com", "1.1.1.1"]) ++successful_hosts = pytest.mark.network + + logger = logging.getLogger("aiohttp.web") + +Index: truststore-0.8.0/tests/test_api.py +=================================================================== +--- truststore-0.8.0.orig/tests/test_api.py ++++ truststore-0.8.0/tests/test_api.py +@@ -27,8 +27,8 @@ pytestmark = pytest.mark.flaky + # if the client drops the connection due to a cert verification error + socket.setdefaulttimeout(10) + +-successful_hosts = pytest.mark.parametrize("host", ["example.com", "1.1.1.1"]) + ++successful_hosts = pytest.mark.network + + @dataclass + class FailureHost: +@@ -118,9 +118,7 @@ failure_hosts_list = [ + ), + ] + +-failure_hosts_no_revocation = pytest.mark.parametrize( +- "failure", failure_hosts_list.copy(), ids=attrgetter("host") +-) ++failure_hosts_no_revocation = pytest.mark.network + + if platform.system() != "Linux": + failure_hosts_list.append( +@@ -139,9 +137,7 @@ if platform.system() != "Linux": + ) + ) + +-failure_hosts = pytest.mark.parametrize( +- "failure", failure_hosts_list, ids=attrgetter("host") +-) ++failure_hosts = pytest.mark.network + + + @pytest.fixture(scope="session") +@@ -317,7 +313,7 @@ def test_trustme_cert_loaded_via_capath( + assert resp.status == 200 + assert len(resp.data) > 0 + +- ++@pytest.mark.network + def test_trustme_cert_still_uses_system_certs(trustme_ca): + ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + trustme_ca.configure_trust(ctx) +Index: truststore-0.8.0/tests/test_sslcontext.py +=================================================================== +--- truststore-0.8.0.orig/tests/test_sslcontext.py ++++ truststore-0.8.0/tests/test_sslcontext.py +@@ -7,7 +7,7 @@ from urllib3.exceptions import InsecureR + + import truststore + +- ++@pytest.mark.network + def test_minimum_maximum_version(): + ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + ctx.maximum_version = ssl.TLSVersion.TLSv1_2 +@@ -24,6 +24,7 @@ def test_minimum_maximum_version(): + assert ctx.maximum_version == ssl.TLSVersion.TLSv1_2 + + ++@pytest.mark.network + def test_check_hostname_false(): + ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + assert ctx.check_hostname is True +@@ -35,6 +36,7 @@ def test_check_hostname_false(): + assert "match" in str(e.value) + + ++@pytest.mark.network + def test_verify_mode_cert_none(): + ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + assert ctx.check_hostname is True diff --git a/python-truststore.changes b/python-truststore.changes new file mode 100644 index 0000000..265cdfb --- /dev/null +++ b/python-truststore.changes @@ -0,0 +1,64 @@ +------------------------------------------------------------------- +Tue Jan 28 10:07:25 UTC 2025 - John Paul Adrian Glaubitz + +- Update to 0.10.0 + * Added support for macOS 10.13 and earlier using the `SecTrustEvaluate` + API. Note that this API doesn't return fine-grained errors like + `SecTrustEvaluateWithError` (requires macOS 10.14+). + * Added `SSLContext.set_default_verify_paths()` method. + * Changed method for disabling hostname verification for macOS and + Windows. Previously would ignore hostname verification errors if + `SSLContext.check_hostname` was `False`. + Now for both macOS and Windows the certificate verification policy + is configured to not check certificate hostname. This should have + no effect on users. +- from version 0.9.2 + * Fixed an issue where implementations supporting Python 3.10 but not + the peer certificate chain APIs would fail during the handshake instead + of when importing the `truststore` module. The module now raises an error + immediately instead of on first handshake. This was added for the GraalPy + implementation specifically, but there may be others. +- Skip test_wrong_host_succeeds_with_hostname_verification_disabled test + +------------------------------------------------------------------- +Thu Oct 3 05:43:57 UTC 2024 - Steve Kowalik + +- Add missing BuildRequires on pyOpenSSL for the testsuite, rather than + depending on it transitivity. + +------------------------------------------------------------------- +Wed Aug 14 05:38:45 UTC 2024 - Steve Kowalik + +- Update to 0.9.1: + * Fixed an issue for CPython 3.13 where `ssl.SSLSocket` and `ssl.SSLObject` + certificate chain APIs would return different types. + * Added support for Python 3.13. + * Fixed loading additional certificates on macOS. +- Drop patch no-network-testing.patch, not required. + +------------------------------------------------------------------- +Sat Mar 2 08:02:57 UTC 2024 - Andreas Schneider + +- Use sle15_python_module_pythons + +------------------------------------------------------------------- +Fri Sep 29 17:56:07 UTC 2023 - Ondřej Súkup + +- update to 0.8.0 +- refresh no-network-testing.patch + * Added documentation for how to use truststore with urllib3, + Requests, aiohttp, and pip. + * Added pass-through implementations for many ssl.SSLContext methods + like load_cert_chain(), set_alpn_protocols(), etc. + * Added inject_into_ssl() and extract_from_ssl() to enable Truststore + for all packages using ssl.SSLContext automatically + * Added support for setting check_hostname, verify_mode, and verify_flags. + * Fixed issue where a RecursionError that would be raised when setting + SSLContext.minimum_version or .maximum_version + +------------------------------------------------------------------- +Thu Jul 28 15:00:19 UTC 2022 - Matej Cepl + +- Initial packaging effort for truststore 0.4.0. +- Add no-network-testing.patch to skip networked tests + (gh#sethmlarson/truststore#65). diff --git a/python-truststore.spec b/python-truststore.spec new file mode 100644 index 0000000..6e62389 --- /dev/null +++ b/python-truststore.spec @@ -0,0 +1,69 @@ +# +# spec file for package python-truststore +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%{?sle15_python_module_pythons} +Name: python-truststore +Version: 0.10.0 +Release: 0 +Summary: Verify certificates using OS trust stores +License: MIT +URL: https://github.com/sethmlarson/truststore +Source: https://github.com/sethmlarson/truststore/archive/refs/tags/v%{version}.tar.gz#/truststore-%{version}.tar.gz +BuildRequires: %{python_module aiohttp} +BuildRequires: %{python_module flaky} +BuildRequires: %{python_module flit-core} +BuildRequires: %{python_module httpx} +BuildRequires: %{python_module pip} +BuildRequires: %{python_module pyOpenSSL} +BuildRequires: %{python_module pytest-asyncio} +BuildRequires: %{python_module pytest-httpserver} +BuildRequires: %{python_module pytest} +BuildRequires: %{python_module requests} +BuildRequires: %{python_module trustme} +BuildRequires: %{python_module urllib3} +BuildRequires: %{python_module wheel} +BuildRequires: fdupes +BuildRequires: python-rpm-macros +BuildArch: noarch +%python_subpackages + +%description +Verify certificates using OS trust stores. Supports macOS, +Windows, and Linux (with OpenSSL). This project should be +considered experimental. + +%prep +%autosetup -p1 -n truststore-%{version} + +%build +%pyproject_wheel + +%install +%pyproject_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%check +%pytest -s -k 'not internet and not test_wrong_host_succeeds_with_hostname_verification_disabled' + +%files %{python_files} +%doc README.md +%license LICENSE +%{python_sitelib}/truststore +%{python_sitelib}/truststore-%{version}.dist-info + +%changelog diff --git a/truststore-0.10.0.tar.gz b/truststore-0.10.0.tar.gz new file mode 100644 index 0000000..6772620 --- /dev/null +++ b/truststore-0.10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12e89641dba78a9427f782ad2d824bed93583a9465002fe59b63c3fd12cbe8f5 +size 28644 diff --git a/truststore-0.8.0.tar.gz b/truststore-0.8.0.tar.gz new file mode 100644 index 0000000..ee26a51 --- /dev/null +++ b/truststore-0.8.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c862292f8d136bfcf2a7827a1fd1c1b27944a982741205fb466005673b570df8 +size 25619 diff --git a/truststore-0.9.1.tar.gz b/truststore-0.9.1.tar.gz new file mode 100644 index 0000000..83de740 --- /dev/null +++ b/truststore-0.9.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2716d09dc828e5df71673d881e558aa72337d816d93fa7f282c6c19989b7e772 +size 26720