From 08e207cf05a406bb8aeeaeeb784434befd4dc87a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Mar 2022 17:45:56 -0500 Subject: [PATCH 1/6] Begin the changelog for 36.0.2 --- CHANGELOG.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5dd8b87cc8b9..fb62f0e26bc3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,11 @@ Changelog ========= +.. _v36-0-2: + +36.0.2 - Unreleased +~~~~~~~~~~~~~~~~~~~ + .. _v36-0-1: 36.0.1 - 2021-12-14 From 6ff83185407d1ac1f95d9c29cc1fbdadd6943900 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 6 Feb 2022 12:51:12 -0500 Subject: [PATCH 2/6] Switch from centos to rhel in CI (#6844) * Switch from centos to rhel in CI * Update installation.rst * Update installation.rst --- .github/workflows/ci.yml | 4 ++-- docs/installation.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 225b05e52e1e..d01bc5a4aae4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -130,8 +130,8 @@ jobs: fail-fast: false matrix: IMAGE: - - {IMAGE: "centos8", TOXENV: "py36"} - - {IMAGE: "centos8-fips", TOXENV: "py36", FIPS: true} + - {IMAGE: "rhel8", TOXENV: "py36"} + - {IMAGE: "rhel8-fips", TOXENV: "py36", FIPS: true} - {IMAGE: "buster", TOXENV: "py37"} - {IMAGE: "bullseye", TOXENV: "py39"} - {IMAGE: "bookworm", TOXENV: "py39"} diff --git a/docs/installation.rst b/docs/installation.rst index 71603a6238a2..8fae0dd9e298 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -16,7 +16,7 @@ Supported platforms Currently we test ``cryptography`` on Python 3.6+ and PyPy3 on these operating systems. -* x86-64 CentOS 8.x +* x86-64 RHEL 8.x * x86-64 Fedora (latest) * x86-64 macOS 10.15 Catalina * x86-64 Ubuntu 18.04, 20.04, rolling From 6ac75af085fe94b24efb6ecdce3d88dea713407d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Mar 2022 17:56:27 -0500 Subject: [PATCH 3/6] Re-blackify for latest black --- .../hazmat/backends/openssl/backend.py | 2 +- .../hazmat/backends/openssl/ciphers.py | 2 +- .../hazmat/primitives/ciphers/aead.py | 8 +-- .../hazmat/primitives/ciphers/modes.py | 4 +- .../hazmat/primitives/kdf/concatkdf.py | 2 +- .../hazmat/primitives/kdf/x963kdf.py | 2 +- .../hazmat/primitives/serialization/ssh.py | 2 +- .../hazmat/primitives/twofactor/hotp.py | 2 +- tests/hazmat/backends/test_openssl.py | 4 +- tests/hazmat/primitives/test_aead.py | 2 +- tests/hazmat/primitives/test_concatkdf.py | 4 +- tests/hazmat/primitives/test_dsa.py | 54 +++++++++---------- tests/hazmat/primitives/test_scrypt.py | 4 +- tests/hazmat/primitives/test_x963kdf.py | 2 +- 14 files changed, 47 insertions(+), 47 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 73645239272f..5606fe60f8ab 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1931,7 +1931,7 @@ def derive_scrypt(self, key_material, salt, length, n, r, p): errors = self._consume_errors_with_text() # memory required formula explained here: # https://blog.filippo.io/the-scrypt-parameters/ - min_memory = 128 * n * r // (1024 ** 2) + min_memory = 128 * n * r // (1024**2) raise MemoryError( "Not enough memory to derive key. These parameters require" " {} MB of memory.".format(min_memory), diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index d5b601027db7..2c9c4a553d4f 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -16,7 +16,7 @@ class _CipherContext(object): _ENCRYPT = 1 _DECRYPT = 0 - _MAX_CHUNK_SIZE = 2 ** 30 - 1 + _MAX_CHUNK_SIZE = 2**30 - 1 def __init__(self, backend, cipher, mode, operation): self._backend = backend diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index aa3862074b35..0443efaa9a9b 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -12,7 +12,7 @@ class ChaCha20Poly1305(object): - _MAX_SIZE = 2 ** 32 + _MAX_SIZE = 2**32 def __init__(self, key: bytes): if not backend.aead_cipher_supported(self): @@ -75,7 +75,7 @@ def _check_params( class AESCCM(object): - _MAX_SIZE = 2 ** 32 + _MAX_SIZE = 2**32 def __init__(self, key: bytes, tag_length: int = 16): utils._check_byteslike("key", key) @@ -160,7 +160,7 @@ def _check_params( class AESGCM(object): - _MAX_SIZE = 2 ** 32 + _MAX_SIZE = 2**32 def __init__(self, key: bytes): utils._check_byteslike("key", key) @@ -223,7 +223,7 @@ def _check_params( class AESOCB3(object): - _MAX_SIZE = 2 ** 32 + _MAX_SIZE = 2**32 def __init__(self, key: bytes): utils._check_byteslike("key", key) diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py index 3491dc2038c2..7f9a87baac66 100644 --- a/src/cryptography/hazmat/primitives/ciphers/modes.py +++ b/src/cryptography/hazmat/primitives/ciphers/modes.py @@ -192,8 +192,8 @@ def validate_for_algorithm(self, algorithm: CipherAlgorithm) -> None: class GCM(Mode, ModeWithInitializationVector, ModeWithAuthenticationTag): name = "GCM" - _MAX_ENCRYPTED_BYTES = (2 ** 39 - 256) // 8 - _MAX_AAD_BYTES = (2 ** 64) // 8 + _MAX_ENCRYPTED_BYTES = (2**39 - 256) // 8 + _MAX_AAD_BYTES = (2**64) // 8 def __init__( self, diff --git a/src/cryptography/hazmat/primitives/kdf/concatkdf.py b/src/cryptography/hazmat/primitives/kdf/concatkdf.py index 5ef5f4200d26..641b0425f377 100644 --- a/src/cryptography/hazmat/primitives/kdf/concatkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/concatkdf.py @@ -24,7 +24,7 @@ def _common_args_checks( length: int, otherinfo: typing.Optional[bytes], ) -> None: - max_length = algorithm.digest_size * (2 ** 32 - 1) + max_length = algorithm.digest_size * (2**32 - 1) if length > max_length: raise ValueError( "Cannot derive keys larger than {} bits.".format(max_length) diff --git a/src/cryptography/hazmat/primitives/kdf/x963kdf.py b/src/cryptography/hazmat/primitives/kdf/x963kdf.py index caf3545bfbe4..b9b7e5b79b5f 100644 --- a/src/cryptography/hazmat/primitives/kdf/x963kdf.py +++ b/src/cryptography/hazmat/primitives/kdf/x963kdf.py @@ -27,7 +27,7 @@ def __init__( sharedinfo: typing.Optional[bytes], backend: typing.Any = None, ): - max_len = algorithm.digest_size * (2 ** 32 - 1) + max_len = algorithm.digest_size * (2**32 - 1) if length > max_len: raise ValueError( "Cannot derive keys larger than {} bits.".format(max_len) diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index 1897fec4f915..61e933dd2222 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -46,7 +46,7 @@ def _bcrypt_kdf( _ECDSA_NISTP521 = b"ecdsa-sha2-nistp521" _CERT_SUFFIX = b"-cert-v01@openssh.com" -_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)") +_SSH_PUBKEY_RC = re.compile(rb"\A(\S+)[ \t]+(\S+)") _SK_MAGIC = b"openssh-key-v1\0" _SK_START = b"-----BEGIN OPENSSH PRIVATE KEY-----" _SK_END = b"-----END OPENSSH PRIVATE KEY-----" diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py index 4dd9bac3f84a..781b728b9e90 100644 --- a/src/cryptography/hazmat/primitives/twofactor/hotp.py +++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py @@ -73,7 +73,7 @@ def __init__( def generate(self, counter: int) -> bytes: truncated_value = self._dynamic_truncate(counter) - hotp = truncated_value % (10 ** self._length) + hotp = truncated_value % (10**self._length) return "{0:0{1}}".format(hotp, self._length).encode() def verify(self, hotp: bytes, counter: int) -> None: diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 2ca62a03aff9..dae5cb32d4f7 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -146,7 +146,7 @@ def test_large_key_size_on_new_openssl(self): assert param_num.p.bit_length() == 3072 def test_int_to_bn(self): - value = (2 ** 4242) - 4242 + value = (2**4242) - 4242 bn = backend._int_to_bn(value) assert bn != backend._ffi.NULL bn = backend._ffi.gc(bn, backend._lib.BN_clear_free) @@ -155,7 +155,7 @@ def test_int_to_bn(self): assert backend._bn_to_int(bn) == value def test_int_to_bn_inplace(self): - value = (2 ** 4242) - 4242 + value = (2**4242) - 4242 bn_ptr = backend._lib.BN_new() assert bn_ptr != backend._ffi.NULL bn_ptr = backend._ffi.gc(bn_ptr, backend._lib.BN_free) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index de9b2eae41ae..f10e17f1aa3f 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -27,7 +27,7 @@ class FakeData(bytes): def __len__(self): - return 2 ** 32 + 1 + return 2**32 + 1 def _aead_supported(cls): diff --git a/tests/hazmat/primitives/test_concatkdf.py b/tests/hazmat/primitives/test_concatkdf.py index 908a3924960d..cb9561ef6d0a 100644 --- a/tests/hazmat/primitives/test_concatkdf.py +++ b/tests/hazmat/primitives/test_concatkdf.py @@ -15,7 +15,7 @@ class TestConcatKDFHash(object): def test_length_limit(self, backend): - big_length = hashes.SHA256().digest_size * (2 ** 32 - 1) + 1 + big_length = hashes.SHA256().digest_size * (2**32 - 1) + 1 with pytest.raises(ValueError): ConcatKDFHash(hashes.SHA256(), big_length, None, backend) @@ -124,7 +124,7 @@ def test_unicode_typeerror(self, backend): class TestConcatKDFHMAC(object): def test_length_limit(self, backend): - big_length = hashes.SHA256().digest_size * (2 ** 32 - 1) + 1 + big_length = hashes.SHA256().digest_size * (2**32 - 1) + 1 with pytest.raises(ValueError): ConcatKDFHMAC(hashes.SHA256(), big_length, None, None, backend) diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 6028b600de44..dbecfef7141a 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -117,38 +117,38 @@ def test_generate_dsa_private_key_and_parameters(self, backend): ("p", "q", "g"), [ ( - 2 ** 1000, + 2**1000, DSA_KEY_1024.public_numbers.parameter_numbers.q, DSA_KEY_1024.public_numbers.parameter_numbers.g, ), ( - 2 ** 2000, + 2**2000, DSA_KEY_2048.public_numbers.parameter_numbers.q, DSA_KEY_2048.public_numbers.parameter_numbers.g, ), ( - 2 ** 3000, + 2**3000, DSA_KEY_3072.public_numbers.parameter_numbers.q, DSA_KEY_3072.public_numbers.parameter_numbers.g, ), ( - 2 ** 3100, + 2**3100, DSA_KEY_3072.public_numbers.parameter_numbers.q, DSA_KEY_3072.public_numbers.parameter_numbers.g, ), ( DSA_KEY_1024.public_numbers.parameter_numbers.p, - 2 ** 150, + 2**150, DSA_KEY_1024.public_numbers.parameter_numbers.g, ), ( DSA_KEY_2048.public_numbers.parameter_numbers.p, - 2 ** 250, + 2**250, DSA_KEY_2048.public_numbers.parameter_numbers.g, ), ( DSA_KEY_3072.public_numbers.parameter_numbers.p, - 2 ** 260, + 2**260, DSA_KEY_3072.public_numbers.parameter_numbers.g, ), ( @@ -164,7 +164,7 @@ def test_generate_dsa_private_key_and_parameters(self, backend): ( DSA_KEY_1024.public_numbers.parameter_numbers.p, DSA_KEY_1024.public_numbers.parameter_numbers.q, - 2 ** 1200, + 2**1200, ), ], ) @@ -176,28 +176,28 @@ def test_invalid_parameters_values(self, p, q, g, backend): ("p", "q", "g", "y", "x"), [ ( - 2 ** 1000, + 2**1000, DSA_KEY_1024.public_numbers.parameter_numbers.q, DSA_KEY_1024.public_numbers.parameter_numbers.g, DSA_KEY_1024.public_numbers.y, DSA_KEY_1024.x, ), ( - 2 ** 2000, + 2**2000, DSA_KEY_2048.public_numbers.parameter_numbers.q, DSA_KEY_2048.public_numbers.parameter_numbers.g, DSA_KEY_2048.public_numbers.y, DSA_KEY_2048.x, ), ( - 2 ** 3000, + 2**3000, DSA_KEY_3072.public_numbers.parameter_numbers.q, DSA_KEY_3072.public_numbers.parameter_numbers.g, DSA_KEY_3072.public_numbers.y, DSA_KEY_3072.x, ), ( - 2 ** 3100, + 2**3100, DSA_KEY_3072.public_numbers.parameter_numbers.q, DSA_KEY_3072.public_numbers.parameter_numbers.g, DSA_KEY_3072.public_numbers.y, @@ -205,21 +205,21 @@ def test_invalid_parameters_values(self, p, q, g, backend): ), ( DSA_KEY_1024.public_numbers.parameter_numbers.p, - 2 ** 150, + 2**150, DSA_KEY_1024.public_numbers.parameter_numbers.g, DSA_KEY_1024.public_numbers.y, DSA_KEY_1024.x, ), ( DSA_KEY_2048.public_numbers.parameter_numbers.p, - 2 ** 250, + 2**250, DSA_KEY_2048.public_numbers.parameter_numbers.g, DSA_KEY_2048.public_numbers.y, DSA_KEY_2048.x, ), ( DSA_KEY_3072.public_numbers.parameter_numbers.p, - 2 ** 260, + 2**260, DSA_KEY_3072.public_numbers.parameter_numbers.g, DSA_KEY_3072.public_numbers.y, DSA_KEY_3072.x, @@ -241,7 +241,7 @@ def test_invalid_parameters_values(self, p, q, g, backend): ( DSA_KEY_1024.public_numbers.parameter_numbers.p, DSA_KEY_1024.public_numbers.parameter_numbers.q, - 2 ** 1200, + 2**1200, DSA_KEY_1024.public_numbers.y, DSA_KEY_1024.x, ), @@ -264,20 +264,20 @@ def test_invalid_parameters_values(self, p, q, g, backend): DSA_KEY_1024.public_numbers.parameter_numbers.q, DSA_KEY_1024.public_numbers.parameter_numbers.g, DSA_KEY_1024.public_numbers.y, - 2 ** 159, + 2**159, ), ( DSA_KEY_1024.public_numbers.parameter_numbers.p, DSA_KEY_1024.public_numbers.parameter_numbers.q, DSA_KEY_1024.public_numbers.parameter_numbers.g, DSA_KEY_1024.public_numbers.y, - 2 ** 200, + 2**200, ), ( DSA_KEY_1024.public_numbers.parameter_numbers.p, DSA_KEY_1024.public_numbers.parameter_numbers.q, DSA_KEY_1024.public_numbers.parameter_numbers.g, - 2 ** 100, + 2**100, DSA_KEY_1024.x, ), ], @@ -296,44 +296,44 @@ def test_invalid_dsa_private_key_arguments(self, p, q, g, y, x, backend): ("p", "q", "g", "y"), [ ( - 2 ** 1000, + 2**1000, DSA_KEY_1024.public_numbers.parameter_numbers.q, DSA_KEY_1024.public_numbers.parameter_numbers.g, DSA_KEY_1024.public_numbers.y, ), ( - 2 ** 2000, + 2**2000, DSA_KEY_2048.public_numbers.parameter_numbers.q, DSA_KEY_2048.public_numbers.parameter_numbers.g, DSA_KEY_2048.public_numbers.y, ), ( - 2 ** 3000, + 2**3000, DSA_KEY_3072.public_numbers.parameter_numbers.q, DSA_KEY_3072.public_numbers.parameter_numbers.g, DSA_KEY_3072.public_numbers.y, ), ( - 2 ** 3100, + 2**3100, DSA_KEY_3072.public_numbers.parameter_numbers.q, DSA_KEY_3072.public_numbers.parameter_numbers.g, DSA_KEY_3072.public_numbers.y, ), ( DSA_KEY_1024.public_numbers.parameter_numbers.p, - 2 ** 150, + 2**150, DSA_KEY_1024.public_numbers.parameter_numbers.g, DSA_KEY_1024.public_numbers.y, ), ( DSA_KEY_2048.public_numbers.parameter_numbers.p, - 2 ** 250, + 2**250, DSA_KEY_2048.public_numbers.parameter_numbers.g, DSA_KEY_2048.public_numbers.y, ), ( DSA_KEY_3072.public_numbers.parameter_numbers.p, - 2 ** 260, + 2**260, DSA_KEY_3072.public_numbers.parameter_numbers.g, DSA_KEY_3072.public_numbers.y, ), @@ -352,7 +352,7 @@ def test_invalid_dsa_private_key_arguments(self, p, q, g, y, x, backend): ( DSA_KEY_1024.public_numbers.parameter_numbers.p, DSA_KEY_1024.public_numbers.parameter_numbers.q, - 2 ** 1200, + 2**1200, DSA_KEY_1024.public_numbers.y, ), ], diff --git a/tests/hazmat/primitives/test_scrypt.py b/tests/hazmat/primitives/test_scrypt.py index 769e06149452..be0b360332b5 100644 --- a/tests/hazmat/primitives/test_scrypt.py +++ b/tests/hazmat/primitives/test_scrypt.py @@ -40,7 +40,7 @@ def test_memory_limit_skip(): with pytest.raises(pytest.skip.Exception): _skip_if_memory_limited(1000, {"p": 16, "r": 64, "n": 1024}) - _skip_if_memory_limited(2 ** 31, {"p": 16, "r": 64, "n": 1024}) + _skip_if_memory_limited(2**31, {"p": 16, "r": 64, "n": 1024}) @pytest.mark.supported( @@ -99,7 +99,7 @@ def test_salt_not_bytes(self, backend): def test_scrypt_malloc_failure(self, backend): password = b"NaCl" - work_factor = 1024 ** 3 + work_factor = 1024**3 block_size = 589824 parallelization_factor = 16 length = 64 diff --git a/tests/hazmat/primitives/test_x963kdf.py b/tests/hazmat/primitives/test_x963kdf.py index 545d7cbac3fa..de84ae874bb3 100644 --- a/tests/hazmat/primitives/test_x963kdf.py +++ b/tests/hazmat/primitives/test_x963kdf.py @@ -14,7 +14,7 @@ class TestX963KDF(object): def test_length_limit(self, backend): - big_length = hashes.SHA256().digest_size * (2 ** 32 - 1) + 1 + big_length = hashes.SHA256().digest_size * (2**32 - 1) + 1 with pytest.raises(ValueError): X963KDF(hashes.SHA256(), big_length, None, backend) From 8370e0fad7eea8d00cc28121f649d505ec9a6e66 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 16 Dec 2021 15:33:37 -0500 Subject: [PATCH 4/6] Fix mypy (#6711) * Fix mypy * Poke for GHA --- tests/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utils.py b/tests/utils.py index e5d6587a0c44..4a4fe04df3f7 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -498,7 +498,7 @@ def load_fips_ecdsa_signing_vectors(vector_data): r"\[(?P[PKB]-[0-9]{3}),SHA-(?P1|224|256|384|512)\]" ) - data = None + data: typing.Optional[typing.Dict[str, object]] = None for line in vector_data: line = line.strip() From ceb7372da6eb5ee8c0684b57e7c652df2e8b69f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Mar 2022 23:42:45 -0500 Subject: [PATCH 5/6] Backport CircleCI --- .circleci/build-wheel.sh | 35 +++++++++++++ .circleci/config.yml | 104 +++++++++++++++++++++++++++++++++++++++ MANIFEST.in | 2 + 3 files changed, 141 insertions(+) create mode 100755 .circleci/build-wheel.sh create mode 100644 .circleci/config.yml diff --git a/.circleci/build-wheel.sh b/.circleci/build-wheel.sh new file mode 100755 index 000000000000..d69e8c9213fe --- /dev/null +++ b/.circleci/build-wheel.sh @@ -0,0 +1,35 @@ +#!/bin/bash -ex + +cd /test + +echo "Building for ${PLATFORM}" + +PYBIN="/opt/python/${PYTHON}/bin" + +mkdir -p /test/wheelhouse.final + +"${PYBIN}"/python -m venv .venv + +.venv/bin/pip install -U pip wheel cffi setuptools-rust + +.venv/bin/python setup.py sdist +cd dist +tar zxf cryptography*.tar.gz +rm -rf cryptograph*.tar.gz +cd cryptography* + +REGEX="cp3([0-9])*" +if [[ "${PYBIN}" =~ $REGEX ]]; then + PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}" +fi + +LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \ + CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \ + ../../.venv/bin/python setup.py bdist_wheel "$PY_LIMITED_API" + +auditwheel repair --plat "${PLATFORM}" -w wheelhouse/ dist/cryptography*.whl + +../../.venv/bin/pip install cryptography --no-index -f wheelhouse/ +../../.venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" + +mv wheelhouse/* /test/wheelhouse.final diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 000000000000..314613c093f1 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,104 @@ +version: 2.1 + +commands: + docker-pull: + parameters: + image: + type: string + steps: + - run: docker pull <> + docker-run: + parameters: + image: + type: string + command: + type: string + steps: + - run: docker run -e PLATFORM -e PYTHON -v $(pwd):/test <> /bin/bash -c 'cd /test;<>' + +jobs: + linux-arm64: + machine: + image: ubuntu-2004:202111-02 + resource_class: arm.medium + parameters: + image: + type: string + toxenv: + type: string + steps: + - checkout + - docker-pull: + image: <> + - docker-run: + image: <> + command: tox -e <> + linux-arm64-wheel: + machine: + image: ubuntu-2004:202111-02 + resource_class: arm.medium + parameters: + image: + type: string + platform: + type: string + python: + type: string + environment: + PLATFORM: <> + PYTHON: <> + steps: + - checkout + - docker-pull: + image: <> + - docker-run: + image: <> + command: /test/.circleci/build-wheel.sh + - store_artifacts: + path: wheelhouse.final + +workflows: + ci: + jobs: + - linux-arm64: + # Changing this name should only be done in conjunction with updating + # the required checks on GH + name: linux-arm64-ci + image: ghcr.io/pyca/cryptography-runner-ubuntu-focal:aarch64 + toxenv: py38 + # This makes sure it runs on all tags in addition to PRs/branches. + # By default CircleCI ignores tags. + filters: + tags: + only: /.*/ + - linux-arm64: + name: linux-arm64-alpine-ci + image: ghcr.io/pyca/cryptography-runner-alpine:aarch64 + toxenv: py39 + filters: + tags: + only: /.*/ + - linux-arm64-wheel: + name: manylinux2014_aarch64-wheel + image: ghcr.io/pyca/cryptography-manylinux2014_aarch64:latest + python: cp36-cp36m + platform: manylinux2014_aarch64 + filters: + tags: + only: /.*/ + - linux-arm64-wheel: + name: manylinux_2_24_aarch64-wheel + image: ghcr.io/pyca/cryptography-manylinux_2_24:aarch64 + python: cp36-cp36m + platform: manylinux_2_24_aarch64 + filters: + tags: + only: /.*/ + - linux-arm64-wheel: + name: musllinux_1_1_aarch64-wheel + image: ghcr.io/pyca/cryptography-musllinux_1_1:aarch64 + python: cp36-cp36m + platform: musllinux_1_1_aarch64 + filters: + tags: + only: /.*/ diff --git a/MANIFEST.in b/MANIFEST.in index 94f0a4f38d9c..e92077b32b5e 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -23,3 +23,5 @@ exclude release.py .coveragerc codecov.yml .readthedocs.yml dev-requirements.txt recursive-exclude .zuul.d * recursive-exclude .zuul.playbooks * + +recursive-exclude .circleci * From 7dd4089623aef7423ee0646459a3b23848353d7c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 2 Jan 2022 18:44:34 -0500 Subject: [PATCH 6/6] Remove Zuul from our CI (#6778) It was providing arm64 builds, but we now do those on CircleCI --- .zuul.d/jobs.yaml | 52 ----------- .zuul.d/project.yaml | 12 --- .zuul.playbooks/playbooks/tox/main.yaml | 7 -- .zuul.playbooks/playbooks/tox/pre.yaml | 38 -------- .zuul.playbooks/playbooks/wheel/main.yaml | 6 -- .zuul.playbooks/playbooks/wheel/pre.yaml | 42 --------- .../roles/build-wheel-manylinux/README.rst | 1 - .../files/build-wheels.sh | 53 ----------- .../build-wheel-manylinux/tasks/main.yaml | 88 ------------------- MANIFEST.in | 3 - 10 files changed, 302 deletions(-) delete mode 100644 .zuul.d/jobs.yaml delete mode 100644 .zuul.d/project.yaml delete mode 100644 .zuul.playbooks/playbooks/tox/main.yaml delete mode 100644 .zuul.playbooks/playbooks/tox/pre.yaml delete mode 100644 .zuul.playbooks/playbooks/wheel/main.yaml delete mode 100644 .zuul.playbooks/playbooks/wheel/pre.yaml delete mode 100644 .zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst delete mode 100644 .zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh delete mode 100644 .zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml diff --git a/.zuul.d/jobs.yaml b/.zuul.d/jobs.yaml deleted file mode 100644 index e4029912f77e..000000000000 --- a/.zuul.d/jobs.yaml +++ /dev/null @@ -1,52 +0,0 @@ -- job: - name: pyca-cryptography-base - abstract: true - description: Run pyca/cryptography unit testing - pre-run: .zuul.playbooks/playbooks/tox/pre.yaml - run: .zuul.playbooks/playbooks/tox/main.yaml - -- job: - name: pyca-cryptography-ubuntu-focal-py38-arm64 - parent: pyca-cryptography-base - nodeset: ubuntu-focal-arm64 - vars: - tox_envlist: py38 - -- job: - name: pyca-cryptography-build-wheel - abstract: true - pre-run: .zuul.playbooks/playbooks/wheel/pre.yaml - run: .zuul.playbooks/playbooks/wheel/main.yaml - -- job: - name: pyca-cryptography-build-wheel-arm64-manylinux2014 - parent: pyca-cryptography-build-wheel - nodeset: ubuntu-focal-arm64 - vars: - wheel_builds: - - platform: manylinux2014_aarch64 - image: ghcr.io/pyca/cryptography-manylinux2014_aarch64 - pythons: - - cp36-cp36m - -- job: - name: pyca-cryptography-build-wheel-arm64-manylinux224 - parent: pyca-cryptography-build-wheel - nodeset: ubuntu-focal-arm64 - vars: - wheel_builds: - - platform: manylinux_2_24_aarch64 - image: ghcr.io/pyca/cryptography-manylinux_2_24:aarch64 - pythons: - - cp36-cp36m - -- job: - name: pyca-cryptography-build-wheel-arm64-musllinux11 - parent: pyca-cryptography-build-wheel - nodeset: ubuntu-focal-arm64 - vars: - wheel_builds: - - platform: musllinux_1_1_aarch64 - image: ghcr.io/pyca/cryptography-musllinux_1_1:aarch64 - pythons: - - cp36-cp36m diff --git a/.zuul.d/project.yaml b/.zuul.d/project.yaml deleted file mode 100644 index 458c3f4b8291..000000000000 --- a/.zuul.d/project.yaml +++ /dev/null @@ -1,12 +0,0 @@ -- project: - check: - jobs: - - pyca-cryptography-build-wheel-arm64-manylinux2014 - - pyca-cryptography-build-wheel-arm64-manylinux224 - - pyca-cryptography-build-wheel-arm64-musllinux11 - - pyca-cryptography-ubuntu-focal-py38-arm64 - release: - jobs: - - pyca-cryptography-build-wheel-arm64-manylinux2014 - - pyca-cryptography-build-wheel-arm64-manylinux224 - - pyca-cryptography-build-wheel-arm64-musllinux11 diff --git a/.zuul.playbooks/playbooks/tox/main.yaml b/.zuul.playbooks/playbooks/tox/main.yaml deleted file mode 100644 index 6243215bc24e..000000000000 --- a/.zuul.playbooks/playbooks/tox/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- hosts: all - tasks: - - name: Run tox - include_role: - name: tox - vars: - tox_extra_args: "-- --wycheproof-root={{ ansible_facts.env['HOME'] }}/wycheproof/" diff --git a/.zuul.playbooks/playbooks/tox/pre.yaml b/.zuul.playbooks/playbooks/tox/pre.yaml deleted file mode 100644 index 33d3487a22bd..000000000000 --- a/.zuul.playbooks/playbooks/tox/pre.yaml +++ /dev/null @@ -1,38 +0,0 @@ -- hosts: all - tasks: - - name: Clone wycheproof - git: - repo: https://github.com/google/wycheproof - dest: "{{ ansible_facts.env['HOME'] }}/wycheproof" - depth: 1 - - - name: Install tox - include_role: - name: ensure-tox - - - name: Install required packages - package: - name: - - build-essential - - libssl-dev - - libffi-dev - - python3-dev - become: yes - when: ansible_distribution in ['Debian', 'Ubuntu'] - - - name: Install required packages - package: - name: - - redhat-rpm-config - - gcc - - libffi-devel - - openssl-devel - - python3-devel - - python2-devel - become: yes - when: ansible_distribution == 'CentOS' - - - name: Install rust - include_role: - name: ensure-rust - diff --git a/.zuul.playbooks/playbooks/wheel/main.yaml b/.zuul.playbooks/playbooks/wheel/main.yaml deleted file mode 100644 index 7fcdd82efe2b..000000000000 --- a/.zuul.playbooks/playbooks/wheel/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- hosts: all - tasks: - - - name: Build wheel - include_role: - name: build-wheel-manylinux diff --git a/.zuul.playbooks/playbooks/wheel/pre.yaml b/.zuul.playbooks/playbooks/wheel/pre.yaml deleted file mode 100644 index fd428334653c..000000000000 --- a/.zuul.playbooks/playbooks/wheel/pre.yaml +++ /dev/null @@ -1,42 +0,0 @@ -- hosts: all - tasks: - - name: Sanity check build list - assert: - that: wheel_builds is defined - - - name: Run ensure-docker - include_role: - name: ensure-docker - - - name: Workaround Linaro aarch64 cloud MTU issues - # NOTE(ianw) : Docker default networking, the Linaro NAT setup and - # *insert random things here* cause PMTU issues, resulting in hung - # connections, particularly to fastly CDN (particularly annoying - # because pypi and pythonhosted live behind that). Can remove after - # upstream changes merge, or we otherwise find a solution in the - # upstream cloud. - # https://review.opendev.org/747062 - # https://review.opendev.org/746833 - # https://review.opendev.org/747064 - when: ansible_architecture == 'aarch64' - block: - - name: Install jq - package: - name: jq - state: present - become: yes - - - name: Reset docker MTU - shell: | - jq --arg mtu 1400 '. + {mtu: $mtu|tonumber}' /etc/docker/daemon.json > /etc/docker/daemon.json.new - cat /etc/docker/daemon.json.new - mv /etc/docker/daemon.json.new /etc/docker/daemon.json - service docker restart - become: yes - - - name: Pre-pull containers - command: >- - docker pull {{ item.image }} - become: yes - loop: '{{ wheel_builds }}' - diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst deleted file mode 100644 index 13c22d2cbaca..000000000000 --- a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst +++ /dev/null @@ -1 +0,0 @@ -Build manylinux wheels for cryptography diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh deleted file mode 100644 index 216a839338e8..000000000000 --- a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash -ex - -# Compile wheels -cd /io - -mkdir -p wheelhouse.final -rm -rf build -rm -rf dist - -for P in ${PYTHONS}; do - - PYBIN=/opt/python/${P}/bin - - "${PYBIN}"/python -m venv .venv - - .venv/bin/pip install -U pip wheel cffi setuptools-rust - - REGEX="cp3([0-9])*" - if [[ "${PYBIN}" =~ $REGEX ]]; then - PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}" - fi - - LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \ - CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \ - .venv/bin/python setup.py bdist_wheel $PY_LIMITED_API - - auditwheel repair --plat ${PLAT} -w wheelhouse/ dist/cryptography*.whl - - # Sanity checks - # NOTE(ianw) : no execstack on aarch64, comes from - # prelink, which was never supported. CentOS 8 does - # have it separate, skip for now. - if [[ ! "${PLAT}" =~ "aarch64" ]]; then - for f in wheelhouse/*.whl; do - unzip $f -d execstack.check - - results=$(execstack execstack.check/cryptography/hazmat/bindings/*.so) - count=$(echo "$results" | grep -c '^X' || true) - if [ "$count" -ne 0 ]; then - exit 1 - fi - rm -rf execstack.check - done - fi - - .venv/bin/pip install cryptography --no-index -f wheelhouse/ - .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - - # Cleanup - mv wheelhouse/* wheelhouse.final - rm -rf .venv dist wheelhouse - -done diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml deleted file mode 100644 index 6c0ea6e2f0ed..000000000000 --- a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Wheel builds is a list of dicts, with keys -# -# platform: the manylinux platform name -# image: the docker image to build in -# pythons: list of pythons in the image to build wheels for -- name: Sanity check build list - assert: - that: wheel_builds is defined - -- name: Ensure pip installed - include_role: - name: ensure-pip - -# We build an sdist of the checkout, and then build wheels from the -# sdist. This ensures that nothing is left out of the sdist. -- name: Install setuptools-rust - pip: - name: setuptools-rust - become: yes - -- name: Create sdist - command: | - python3 setup.py sdist - args: - chdir: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}' - -- name: Find output file - find: - paths: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/dist' - file_type: file - patterns: "*.tar.gz" - register: _sdist - -- assert: - that: - - _sdist.matched == 1 - -- name: Create a build area - file: - path: '{{ ansible_user_dir }}/build' - state: directory - -- name: Create build area from sdist - unarchive: - src: '{{ _sdist.files[0].path }}' - dest: '{{ ansible_user_dir }}/build' - remote_src: yes - -- name: Find cryptography subdir from sdist build dir - set_fact: - _build_dir: "{{ ansible_user_dir }}/build/{{ _sdist.files[0].path | basename | replace('.tar.gz', '') }}" - -- name: Show _build_dir - debug: - var: _build_dir - -- name: Install build script - copy: - src: build-wheels.sh - dest: '{{ _build_dir }}' - mode: 0755 - -- name: Run builds - command: | - docker run --rm \ - -e PLAT={{ item.platform }} \ - -e PYTHONS="{{ item.pythons | join(' ') }}" \ - -v {{ _build_dir }}:/io \ - {{ item.image }} \ - /io/build-wheels.sh - become: yes - loop: '{{ wheel_builds }}' - -- name: Copy wheels to output - synchronize: - src: '{{ _build_dir }}/wheelhouse.final/' - dest: '{{ zuul.executor.log_root }}/wheelhouse' - mode: pull - -- name: Return wheelhouse artifact - zuul_return: - data: - zuul: - artifacts: - - name: "Wheelhouse" - url: "wheelhouse" - metadata: - type: wheelhouse diff --git a/MANIFEST.in b/MANIFEST.in index e92077b32b5e..0b6fabaf363f 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -21,7 +21,4 @@ recursive-exclude .github * exclude release.py .coveragerc codecov.yml .readthedocs.yml dev-requirements.txt tox.ini mypy.ini -recursive-exclude .zuul.d * -recursive-exclude .zuul.playbooks * - recursive-exclude .circleci *