#### Description
Unfortunately 0b5e310881 broke mitmproxy's
ability to issue leaf certificates if `ca_file` contains multiple CAs.
This PR restores that capability.
The issue lies in `mitmproxy/certs.py` - specifically, in the
`from_files` method of the `CertStore` class. Before
0b5e310881, the issuing CA was identified
like this:
``` python
raw = ca_file.read_bytes()
key = load_pem_private_key(raw, passphrase)
…
certs = re.split(rb"(?=-----BEGIN CERTIFICATE-----)", raw)
ca = Cert.from_pem(certs[1])
```
This worked even when `ca_file` contained multiple CAs. For example,
consider this example:
```
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICmTCCAfqgAwIBAgIRAIqaBJ6aU5wXT+5JAn8Uj1IwCgYIKoZIzj0EAwQwMDEu
MCwGA1UEAxMlbWFuc2VsbWkgSW50ZXJtZWRpYXRlIENBICgyMDIzLTA0LTExKTAe
Fw0yNDAyMTQxNzEzMDBaFw0yNDAyMTUxNzE0MDBaMB8xHTAbBgNVBAMTFG1pdG1w
cm94eSBJc3N1aW5nIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEeKTLpy6KeiWN
89S9UJoTM9w6HyrEiVByf/ie2wUX3vR/3nHVMTi5XZQD6/8h3A9yUWwtRtVDj55D
STbPKjN6G8t/Qh1dGz2vanNjmWNlceM3DOIlT30vmR5+GrUOwj+7o4HoMIHlMA4G
A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYD
VR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUkf9kgx5DbP0B66Ir6oLUDV/CIU4w
HwYDVR0jBBgwFoAUqBYQLb8rkIidwq5dYuiDFdKhY48wYAYMKwYBBAGCpGTGKEAB
BFAwTgIBAQQcbWlrZUBtYW5zZWxtaS5jb206aXNzdWluZy1jYQQrYmZhODBJaGMz
VXNUcU0yQlp6ZG1rYW1OLW1XNGtpWTJrM1g5X19kd3Q0bzAKBggqhkjOPQQDBAOB
jAAwgYgCQgF/QLZ0cThJKeoeIk4dY4+Z2MdIey7kvvy1jwlWrsOqOY+UXUWHXRlj
oXZN92imAKqgLU5T859MMqWrjA1LjN7w6QJCAY+2xN7ovry3WSMqwnu86NuPL8vh
fjftZeIW5GWuLzOsEFt7SfWMhkmFc/jcFpZ/qlolPhvr6E170zNhHUSMKvjb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICcjCCAdSgAwIBAgIQeK+VyMjx85py1kqGdjn5nTAKBggqhkjOPQQDBDAoMSYw
JAYDVQQDEx1tYW5zZWxtaSBSb290IENBICgyMDIzLTA0LTExKTAeFw0yMzA0MTEw
MjIzMzdaFw0yODA0MDkwMjIzMzdaMDAxLjAsBgNVBAMTJW1hbnNlbG1pIEludGVy
bWVkaWF0ZSBDQSAoMjAyMy0wNC0xMSkwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
BADhbjtnME8IDpBab8MogM0HchH0V9B8Qx7nRXK+tbGyyHlgLjIBYF/erJGBP0md
RMAxU5x/nPlHPODRBkJhB0wbcwGC9zjQQyxfhG75806QzkaZSsC0kFZ9d3JG4fjn
uenY1S2VZ5qE0gDc8Qmfyjcx7KqxQKwS9RwtG1ymAmWgvmGIJ6OBlDCBkTAOBgNV
HQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUqBYQLb8r
kIidwq5dYuiDFdKhY48wHwYDVR0jBBgwFoAU6+JptrrPiOuWZyKvwg0EJz5TkW8w
KwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2NhLm1hbnNlbG1pLmNvbS9jcmwwCgYI
KoZIzj0EAwQDgYsAMIGHAkEw/A2kiL4Kt9/8PND89vlXEehqeymFgats62a3UMU2
g3zATES/WI2E1IgqIsmB6ILRgWMslzpH+NGP+JJkFCz9cwJCAJaRlnOc3xafHZta
0Xwr5YUVAAfmVOj9a2XAsNlNuMy2t8cmeeGmQjrZwCuivlzLOp19Ge3Mi0dnzeV+
5L2rBOCL
-----END CERTIFICATE-----
```
`certs` would have three elements: the private key, the issuing CA and
the intermediate CA. As a result, `ca = Cert.from_pem(certs[1])` would
select the first CA (the issuing CA).
From 0b5e310881 onward, we instead have
``` python
raw = ca_file.read_bytes()
key = load_pem_private_key(raw, passphrase)
…
certs = x509.load_pem_x509_certificates(raw)
ca = Cert(certs[-1])
```
Now, `certs` would have only two elements: the issuing CA and the
intermediate CA. (`x509.load_pem_x509_certificates` discards the private
key.) As a result, `ca = Cert(certs[-1])` must instead be `ca =
Cert(certs[0])`, otherwise the `ca` and `key` won't correspond to each
other and we'll eventually see an error like this when mitmproxy tries
to generate a leaf certificate:
```
Addon error: [('x509 certificate routines', '', 'key values mismatch')]
Traceback (most recent call last):
File "/Users/manselmi/repos/mitmproxy/mitmproxy/addons/tlsconfig.py", line 208, in tls_start_client
tls_start.ssl_conn.use_privatekey(
File "/Users/manselmi/virtualenv/mitmproxy-py312/lib/python3.12/site-packages/OpenSSL/SSL.py", line 1949, in use_privatekey
self._context._raise_passphrase_exception()
File "/Users/manselmi/virtualenv/mitmproxy-py312/lib/python3.12/site-packages/OpenSSL/SSL.py", line 1123, in _raise_passphrase_exception
_raise_current_error()
File "/Users/manselmi/virtualenv/mitmproxy-py312/lib/python3.12/site-packages/OpenSSL/_util.py", line 57, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('x509 certificate routines', '', 'key values mismatch')]
```
#### Description
Fix issue #6656
This generates a wireguard config with the correct endpoint when using
two or more active NICs.
#### Checklist
- [x] I have updated tests where applicable.
- [x] I have added an entry to the CHANGELOG.
---------
Co-authored-by: Maximilian Hils <github@maximilianhils.com>
#### Description
Fixes#6647 by assuming all DNS queries are made over UDP, will need to
be reworked when TCP support is added.
#### Checklist
- [x] I have updated tests where applicable.
- [x] I have added an entry to the CHANGELOG.
#### Description
fix#6603
#### Checklist
- [x] I have updated tests where applicable.
- [ ] I have added an entry to the CHANGELOG.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Bumps the github-actions group with 2 updates:
[install-pinned/ruff](https://github.com/install-pinned/ruff) and
[actions/cache](https://github.com/actions/cache).
Updates `install-pinned/ruff` from
4ec70113ad8b512f13948b8d9855ac59675535d2 to
fe472defb50a6a2c00ea3a3982534e86e69991e8
<details>
<summary>Commits</summary>
<ul>
<li><a
href="fe472defb5"><code>fe472de</code></a>
update README.md (ruff 0.1.15)</li>
<li><a
href="cf75457aa5"><code>cf75457</code></a>
update pins (ruff 0.1.15)</li>
<li><a
href="a5367eab93"><code>a5367ea</code></a>
update README.md (ruff 0.1.14)</li>
<li><a
href="38ee0f469b"><code>38ee0f4</code></a>
update pins (ruff 0.1.14)</li>
<li><a
href="a8e213b6a6"><code>a8e213b</code></a>
update README.md (ruff 0.1.13)</li>
<li><a
href="21180b34ff"><code>21180b3</code></a>
update pins (ruff 0.1.13)</li>
<li><a
href="58b3f74640"><code>58b3f74</code></a>
update README.md (ruff 0.1.12)</li>
<li><a
href="4234903912"><code>4234903</code></a>
update pins (ruff 0.1.12)</li>
<li><a
href="8c12fc8021"><code>8c12fc8</code></a>
update README.md (ruff 0.1.11)</li>
<li><a
href="dbde05329b"><code>dbde053</code></a>
update pins (ruff 0.1.11)</li>
<li>See full diff in <a
href="4ec70113ad...fe472defb5">compare
view</a></li>
</ul>
</details>
<br />
Updates `actions/cache` from 3 to 4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/releases">actions/cache's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Update action to node20 by <a
href="https://github.com/takost"><code>@takost</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1284">actions/cache#1284</a></li>
<li>feat: save-always flag by <a
href="https://github.com/to-s"><code>@to-s</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1242">actions/cache#1242</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/takost"><code>@takost</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1284">actions/cache#1284</a></li>
<li><a href="https://github.com/to-s"><code>@to-s</code></a> made their
first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1242">actions/cache#1242</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v3...v4.0.0">https://github.com/actions/cache/compare/v3...v4.0.0</a></p>
<h2>v3.3.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Cache v3.3.3 by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1302">actions/cache#1302</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/robherley"><code>@robherley</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1302">actions/cache#1302</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v3...v3.3.3">https://github.com/actions/cache/compare/v3...v3.3.3</a></p>
<h2>v3.3.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Fixed readme with new segment timeout values by <a
href="https://github.com/kotewar"><code>@kotewar</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1133">actions/cache#1133</a></li>
<li>Readme fixes by <a
href="https://github.com/kotewar"><code>@kotewar</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1134">actions/cache#1134</a></li>
<li>Updated description of the lookup-only input for main action by <a
href="https://github.com/kotewar"><code>@kotewar</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1130">actions/cache#1130</a></li>
<li>Change two new actions mention as quoted text by <a
href="https://github.com/bishal-pdMSFT"><code>@bishal-pdMSFT</code></a>
in <a
href="https://redirect.github.com/actions/cache/pull/1131">actions/cache#1131</a></li>
<li>Update Cross-OS Caching tips by <a
href="https://github.com/pdotl"><code>@pdotl</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1122">actions/cache#1122</a></li>
<li>Bazel example (Take <a
href="https://redirect.github.com/actions/cache/issues/2">#2</a>️⃣) by
<a href="https://github.com/vorburger"><code>@vorburger</code></a> in
<a
href="https://redirect.github.com/actions/cache/pull/1132">actions/cache#1132</a></li>
<li>Remove actions to add new PRs and issues to a project board by <a
href="https://github.com/jorendorff"><code>@jorendorff</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1187">actions/cache#1187</a></li>
<li>Consume latest toolkit and fix dangling promise bug by <a
href="https://github.com/chkimes"><code>@chkimes</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1217">actions/cache#1217</a></li>
<li>Bump action version to 3.3.2 by <a
href="https://github.com/bethanyj28"><code>@bethanyj28</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1236">actions/cache#1236</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/vorburger"><code>@vorburger</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1132">actions/cache#1132</a></li>
<li><a
href="https://github.com/jorendorff"><code>@jorendorff</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1187">actions/cache#1187</a></li>
<li><a href="https://github.com/chkimes"><code>@chkimes</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1217">actions/cache#1217</a></li>
<li><a
href="https://github.com/bethanyj28"><code>@bethanyj28</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1236">actions/cache#1236</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v3...v3.3.2">https://github.com/actions/cache/compare/v3...v3.3.2</a></p>
<h2>v3.3.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Reduced download segment size to 128 MB and timeout to 10 minutes by
<a href="https://github.com/kotewar"><code>@kotewar</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1129">actions/cache#1129</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v3...v3.3.1">https://github.com/actions/cache/compare/v3...v3.3.1</a></p>
<h2>v3.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Bug: Permission is missing in cache delete example by <a
href="https://github.com/kotokaze"><code>@kotokaze</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1123">actions/cache#1123</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's
changelog</a>.</em></p>
<blockquote>
<h1>Releases</h1>
<h3>3.0.0</h3>
<ul>
<li>Updated minimum runner version support from node 12 -> node
16</li>
</ul>
<h3>3.0.1</h3>
<ul>
<li>Added support for caching from GHES 3.5.</li>
<li>Fixed download issue for files > 2GB during restore.</li>
</ul>
<h3>3.0.2</h3>
<ul>
<li>Added support for dynamic cache size cap on GHES.</li>
</ul>
<h3>3.0.3</h3>
<ul>
<li>Fixed avoiding empty cache save when no files are available for
caching. (<a
href="https://redirect.github.com/actions/cache/issues/624">issue</a>)</li>
</ul>
<h3>3.0.4</h3>
<ul>
<li>Fixed tar creation error while trying to create tar with path as
<code>~/</code> home folder on <code>ubuntu-latest</code>. (<a
href="https://redirect.github.com/actions/cache/issues/689">issue</a>)</li>
</ul>
<h3>3.0.5</h3>
<ul>
<li>Removed error handling by consuming actions/cache 3.0 toolkit, Now
cache server error handling will be done by toolkit. (<a
href="https://redirect.github.com/actions/cache/pull/834">PR</a>)</li>
</ul>
<h3>3.0.6</h3>
<ul>
<li>Fixed <a
href="https://redirect.github.com/actions/cache/issues/809">#809</a> -
zstd -d: no such file or directory error</li>
<li>Fixed <a
href="https://redirect.github.com/actions/cache/issues/833">#833</a> -
cache doesn't work with github workspace directory</li>
</ul>
<h3>3.0.7</h3>
<ul>
<li>Fixed <a
href="https://redirect.github.com/actions/cache/issues/810">#810</a> -
download stuck issue. A new timeout is introduced in the download
process to abort the download if it gets stuck and doesn't finish within
an hour.</li>
</ul>
<h3>3.0.8</h3>
<ul>
<li>Fix zstd not working for windows on gnu tar in issues <a
href="https://redirect.github.com/actions/cache/issues/888">#888</a> and
<a
href="https://redirect.github.com/actions/cache/issues/891">#891</a>.</li>
<li>Allowing users to provide a custom timeout as input for aborting
download of a cache segment using an environment variable
<code>SEGMENT_DOWNLOAD_TIMEOUT_MINS</code>. Default is 60 minutes.</li>
</ul>
<h3>3.0.9</h3>
<ul>
<li>Enhanced the warning message for cache unavailablity in case of
GHES.</li>
</ul>
<h3>3.0.10</h3>
<ul>
<li>Fix a bug with sorting inputs.</li>
<li>Update definition for restore-keys in README.md</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="13aacd865c"><code>13aacd8</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1242">#1242</a>
from to-s/main</li>
<li><a
href="53b35c5439"><code>53b35c5</code></a>
Merge branch 'main' into main</li>
<li><a
href="65b8989fab"><code>65b8989</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1284">#1284</a>
from takost/update-to-node-20</li>
<li><a
href="d0be34d544"><code>d0be34d</code></a>
Fix dist</li>
<li><a
href="66cf064d47"><code>66cf064</code></a>
Merge branch 'main' into update-to-node-20</li>
<li><a
href="1326563738"><code>1326563</code></a>
Merge branch 'main' into main</li>
<li><a
href="e71876755e"><code>e718767</code></a>
Fix format</li>
<li><a
href="01229828ff"><code>0122982</code></a>
Apply workaround for earlyExit</li>
<li><a
href="3185ecfd61"><code>3185ecf</code></a>
Update "only-" actions to node20</li>
<li><a
href="25618a0a67"><code>25618a0</code></a>
Bump version</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/cache/compare/v3...v4">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates the requirements on
[cryptography](https://github.com/pyca/cryptography) to permit the
latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>42.0.2 - 2024-01-30</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol
objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with
``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
<p>.. _v42-0-1:</p>
<p>42.0.1 - 2024-01-24
</code></pre></p>
<ul>
<li>Fixed an issue with incorrect keyword-argument naming with
<code>EllipticCurvePrivateKey</code>
:meth:<code>~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign</code>.</li>
<li>Resolved compatibility issue with loading certain RSA public keys in
:func:<code>~cryptography.hazmat.primitives.serialization.load_pem_public_key</code>.</li>
</ul>
<p>.. _v42-0-0:</p>
<p>42.0.0 - 2024-01-22</p>
<pre><code>
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7.
* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field
using
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
or
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
will now raise a ``ValueError`` rather than return an empty list.
* Parsing SSH certificates no longer permits malformed critical options
with
values, as documented in the 41.0.2 release notes.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.2.0.
* Updated the minimum supported Rust version (MSRV) to 1.63.0, from
1.56.0.
* We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should
resolve some errors relating to initializing a module multiple times per
process.
* Support
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for
X.509 certificate signing requests and certificate revocation lists with
the
keyword-only argument ``rsa_padding`` on the ``sign`` methods for
:class:`~cryptography.x509.CertificateSigningRequestBuilder` and
:class:`~cryptography.x509.CertificateRevocationListBuilder`.
* Added support for obtaining X.509 certificate signing request
signature
algorithm parameters (including PSS) via
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2202123b50"><code>2202123</code></a>
changelog and version bump 42.0.2 (<a
href="https://redirect.github.com/pyca/cryptography/issues/10268">#10268</a>)</li>
<li><a
href="f7032bdd40"><code>f7032bd</code></a>
bump openssl in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/10298">#10298</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10299">#10299</a>)</li>
<li><a
href="002e886f16"><code>002e886</code></a>
Fixes <a
href="https://redirect.github.com/pyca/cryptography/issues/10294">#10294</a>
-- correct accidental change to exchange kwarg (<a
href="https://redirect.github.com/pyca/cryptography/issues/10295">#10295</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10296">#10296</a>)</li>
<li><a
href="92fa9f2f60"><code>92fa9f2</code></a>
support bytes-like consistently across our asym sign/verify APIs (<a
href="https://redirect.github.com/pyca/cryptography/issues/10260">#10260</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li><a
href="6478f7e28b"><code>6478f7e</code></a>
explicitly support bytes-like for signature/data in RSA sign/verify (<a
href="https://redirect.github.com/pyca/cryptography/issues/10259">#10259</a>)
...</li>
<li><a
href="4bb8596ae0"><code>4bb8596</code></a>
fix the release script (<a
href="https://redirect.github.com/pyca/cryptography/issues/10233">#10233</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10254">#10254</a>)</li>
<li><a
href="337437dc2e"><code>337437d</code></a>
42.0.1 bump (<a
href="https://redirect.github.com/pyca/cryptography/issues/10252">#10252</a>)</li>
<li><a
href="56255de6b2"><code>56255de</code></a>
allow SPKI RSA keys to be parsed even if they have an incorrect
delimiter (<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li><a
href="12f038b38a"><code>12f038b</code></a>
fixes <a
href="https://redirect.github.com/pyca/cryptography/issues/10237">#10237</a>
-- correct EC sign parameter name (<a
href="https://redirect.github.com/pyca/cryptography/issues/10239">#10239</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10240">#10240</a>)</li>
<li><a
href="4e64baf360"><code>4e64baf</code></a>
42.0.0 version bump (<a
href="https://redirect.github.com/pyca/cryptography/issues/10232">#10232</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/cryptography/compare/39.0.0...42.0.2">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates the requirements on
[pytest](https://github.com/pytest-dev/pytest) to permit the latest
version.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest/releases">pytest's
releases</a>.</em></p>
<blockquote>
<h2>pytest 8.0.0 (2024-01-27)</h2>
<p>See <a
href="https://github.com/pytest-dev/pytest/releases/tag/8.0.0rc1">8.0.0rc1</a>
and <a
href="https://github.com/pytest-dev/pytest/releases/tag/8.0.0rc2">8.0.0rc2</a>
for the full changes since pytest 7.4!</p>
<h2>Bug Fixes</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/11842">#11842</a>:
Properly escape the <code>reason</code> of a <code>skip
<pytest.mark.skip ref></code>{.interpreted-text
role="ref"} mark when writing JUnit XML files.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/11861">#11861</a>:
Avoid microsecond exceeds <code>1_000_000</code> when using
<code>log-date-format</code> with <code>%f</code> specifier, which might
cause the test suite to crash.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="478f8233bc"><code>478f823</code></a>
Prepare release version 8.0.0</li>
<li><a
href="608590097a"><code>6085900</code></a>
[8.0.x] fix: avoid rounding microsecond to <code>1_000_000</code> (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/11863">#11863</a>)</li>
<li><a
href="3b41c65c81"><code>3b41c65</code></a>
[8.0.x] Escape skip reason in junitxml (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/11845">#11845</a>)</li>
<li><a
href="747072ad26"><code>747072a</code></a>
[8.0.x] Update docstring of scripts/generate-gh-release-notes.py (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/11768">#11768</a>)</li>
<li><a
href="011a475baf"><code>011a475</code></a>
Properly attach packages to the GH release notes (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/11839">#11839</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/11840">#11840</a>)</li>
<li><a
href="97960bdd14"><code>97960bd</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/11835">#11835</a>
from pytest-dev/release-8.0.0rc2</li>
<li><a
href="6be0a3cbf7"><code>6be0a3c</code></a>
Prepare release version 8.0.0rc2</li>
<li><a
href="44ffe07165"><code>44ffe07</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/11837">#11837</a>
from pytest-dev/backport-11836-to-8.0.x</li>
<li><a
href="14ecb04973"><code>14ecb04</code></a>
[8.0.x] testing: temporarily disable test due to hypothesis issue</li>
<li><a
href="41c8dabee3"><code>41c8dab</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/11831">#11831</a>
from bluetech/backport-11825-to-8.0.x</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest/compare/6.1.0...8.0.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates the requirements on
[pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) to permit
the latest version.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest-asyncio/releases">pytest-asyncio's
releases</a>.</em></p>
<blockquote>
<h2>pytest-asyncio 0.23.3</h2>
<h1>0.23.3 (2024-01-01)</h1>
<ul>
<li>Fixes a bug that caused event loops to be closed prematurely when
using async generator fixtures with class scope or wider in a
function-scoped test <a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/706">#706</a></li>
<li>Fixes various bugs that caused an internal pytest error during test
collection <a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/711">#711</a>
<a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/713">#713</a>
<a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/719">#719</a></li>
</ul>
<h2>Known issues</h2>
<p>As of v0.23, pytest-asyncio attaches an asyncio event loop to each
item of the test suite (i.e. session, packages, modules, classes,
functions) and allows tests to be run in those loops when marked
accordingly. Pytest-asyncio currently assumes that async fixture scope
is correlated with the new event loop scope. This prevents fixtures from
being evaluated independently from the event loop scope and breaks some
existing test suites (see <a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/706">#706</a>).
For example, a test suite may require all fixtures and tests to run in
the same event loop, but have async fixtures that are set up and torn
down for each module. If you're affected by this issue, please continue
using the v0.21 release, until it is resolved.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="260b79185b"><code>260b791</code></a>
[docs] Prepare release of v0.23.3.</li>
<li><a
href="6a253e20fb"><code>6a253e2</code></a>
[docs] Shorten changelog by combining multiple issues.</li>
<li><a
href="e2cbb906c5"><code>e2cbb90</code></a>
[docs] Mention correct issue in changelog.</li>
<li><a
href="0c522bff15"><code>0c522bf</code></a>
[fix] Fixes a bug that caused an internal pytest error when using
ImportWarni...</li>
<li><a
href="31c7e6f9ac"><code>31c7e6f</code></a>
Build(deps): Bump coverage from 7.3.3 to 7.3.4 in
/dependencies/default</li>
<li><a
href="38d5c7eed0"><code>38d5c7e</code></a>
Build(deps): Bump sphinx-rtd-theme in /dependencies/docs</li>
<li><a
href="650ec5875d"><code>650ec58</code></a>
Build(deps): Bump babel from 2.13.1 to 2.14.0 in /dependencies/docs</li>
<li><a
href="0166a7e55f"><code>0166a7e</code></a>
Build(deps): Bump typing-extensions in /dependencies/default</li>
<li><a
href="3a15f3039c"><code>3a15f30</code></a>
Build(deps): Bump coverage from 7.3.2 to 7.3.3 in
/dependencies/default</li>
<li><a
href="28e91f00cd"><code>28e91f0</code></a>
Build(deps): Bump hypothesis in /dependencies/default</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest-asyncio/compare/v0.17.0...v0.23.3">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pyinstaller](https://github.com/pyinstaller/pyinstaller) from
6.2.0 to 6.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pyinstaller/pyinstaller/releases">pyinstaller's
releases</a>.</em></p>
<blockquote>
<h2>v6.3.0</h2>
<p>Please see the <a
href="https://pyinstaller.org/en/v6.3.0/CHANGES.html#id1">v6.3.0 section
of the changelog</a> for a list of the changes since v6.2.0.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyinstaller/pyinstaller/blob/develop/doc/CHANGES.rst">pyinstaller's
changelog</a>.</em></p>
<blockquote>
<h2>6.3.0 (2023-12-10)</h2>
<p>Bugfix</p>
<pre><code>
* (Linux) Optimize the automatic binary-vs-data classification by
avoiding
``objdump`` based check on files that do not have ELF signature. This
mitigates noticeably longer analysis times for projects with large
number of
(data) files. (:issue:`8148`)
* (Windows) Add Windows error code 110 (``ERROR_OPEN_FAILED``) to the
list of
error codes eligible for the retry mechanism that attempts to mitigate
build
failures due to anti-virus program interference. (:issue:`8138`)
* (Windows) Fix issue with non-functional :func:`time.sleep()` when
building
program with Python <= 3.8.6 or Python 3.9.0. (:issue:`8104`)
* (Windows) Fix issue with splash screen in ``onefile`` mode failing to
extract
``VCRUNTIME140.dll`` from the archive due to character-case mismatch. We
now
perform case-insensitive comparison between the name listed in splash
dependency list and the names in archive TOC. (:issue:`8103`)
* Fix PEP 597 EncodingWarnings when :envvar:`PYTHONWARNDEFAULTENCODING`
is set
to true. (:issue:`8117`)
* Fix pre-safe-import hooks for ``six.moves``,
``urllib3.packages.six.moves``,
and ``setuptools.extern.six.moves`` to gracefully handle cases when the
corresponding ``six`` package is unavailable, as the hook may end up
being
executed even in that case. (:issue:`8145`)
* Fix symbolic link tracking in ``MERGE`` processing, so that distinct
symbolic
links with same relative target (e.g. ``Current -> A`` symbolic links
in Qt
.framework bundles collected on macOS) are properly processed, and kept
in the
original TOC upon their first occurrence. (:issue:`8124`)
<p>Hooks</p>
<pre><code>
* Add hook for ``gi.repository.DBus``. (:issue:`8149`)
* Add hooks for ``gi.repository.AppIndicator3`` and
``gi.repository.AyatanaAppIndicator3``. (:issue:`8149`)
Bootloader
</code></pre>
<ul>
<li>When setting up embedded Python interpreter configuration, set
<code>PyConfig.install_signal_handlers=1</code> to install
signal handlers.
This matches the behavior of PyInstaller 5.x bootloaders, where
interpreter
was initialized via <code>Py_Initialize()</code>, which in
turn calls
<code>Py_InitializeEx(1)</code>, i.e., with
<code>install_sigs=1</code>.
(:issue:<code>8105</code>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f563dce1e8"><code>f563dce</code></a>
Release v6.3.0. [skip ci]</li>
<li><a
href="79aa828e13"><code>79aa828</code></a>
hooks: gi: add hook for gi.repository.DBus</li>
<li><a
href="3f42b9574f"><code>3f42b95</code></a>
hooks: gi: add hooks for AppIndicator3 and
AyatanaAppIndicator3</li>
<li><a
href="b262373f68"><code>b262373</code></a>
Tests: Requirements: Scheduled weekly dependency update for week 50
(<a
href="https://redirect.github.com/pyinstaller/pyinstaller/issues/8157">#8157</a>)</li>
<li><a
href="0f51fca360"><code>0f51fca</code></a>
bindepend: optimize binary-vs-data classification on linux</li>
<li><a
href="14af1e7143"><code>14af1e7</code></a>
building: add an INFO message at start of binary-vs-data
reclassification</li>
<li><a
href="8c4d099e5f"><code>8c4d099</code></a>
pre-safe-import-hooks: create six.move runtime package only if six is
available</li>
<li><a
href="ac91826b1f"><code>ac91826</code></a>
pre-safe-import-hooks: gracefully handle cases when six is
unavailable</li>
<li><a
href="bb1b306cca"><code>bb1b306</code></a>
Tests: Requirements: Scheduled weekly dependency update for week 49
(<a
href="https://redirect.github.com/pyinstaller/pyinstaller/issues/8142">#8142</a>)</li>
<li><a
href="ac7f6835c2"><code>ac7f683</code></a>
building: retry mechanism: enable retry on winerror 110</li>
<li>Additional commits viewable in <a
href="https://github.com/pyinstaller/pyinstaller/compare/v6.2.0...v6.3.0">compare
view</a></li>
</ul>
</details>
<br />
</code></pre>
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
/cc @driuba - does that look good?
---------
Co-authored-by: Andrius Andrikonis <andrius.andrikonis@toughlex.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
This fixes#6494: if CA and leaf share the same Subject Key Identifier,
SChannel gets confused. So we just skip the SKI for leafs, which is
still fine with OpenSSL 3.x (this was previously fixed by @mmaxim) and
RFC 5280.
Co-authored-by: Andrius Andrikonis <andrius.andrikonis@toughlex.com>
