chore: add warning for rsa library (#1925)

daniel-sanche · web-flow · commit 59b6abc7a615 · 2026-01-09T17:53:07.000-08:00
The `rsa` library is archived, and scheduled to be removed.
`google-auth` already supports an alternate implementation, using
`cryptography`. This PR adds a warning to users still relying on the old
library, and adds `rsa` as an optional dependency to allow users to
continue to opt-in to rsa during deprecation persion

After release, a follow-up version will remove rsa as a required
dependency, leaving it only for opt-in users
diff --git a/packages/google-auth/google/auth/crypt/_python_rsa.py b/packages/google-auth/google/auth/crypt/_python_rsa.py
@@ -22,6 +22,7 @@
 from __future__ import absolute_import
 
 import io
+import warnings
 
 from pyasn1.codec.der import decoder  # type: ignore
 from pyasn1_modules import pem  # type: ignore
@@ -39,6 +40,15 @@
 _PKCS8_MARKER = ("-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----")
 _PKCS8_SPEC = PrivateKeyInfo()
 
+warnings.warn(
+    (
+        "The 'rsa' library is deprecated and will be removed in a future release. "
+        "Please migrate to 'cryptography'."
+    ),
+    category=DeprecationWarning,
+    stacklevel=2,
+)
+
 
 def _bit_list_to_bytes(bit_list):
     """Converts an iterable of 1s and 0s to bytes.
@@ -64,6 +74,10 @@ def _bit_list_to_bytes(bit_list):
 class RSAVerifier(base.Verifier):
     """Verifies RSA cryptographic signatures using public keys.
 
+    .. deprecated::
+        The `rsa` library has been archived. Please migrate to
+        `cryptography`.
+
     Args:
         public_key (rsa.key.PublicKey): The public key used to verify
             signatures.
@@ -116,6 +130,10 @@ def from_string(cls, public_key):
 class RSASigner(base.Signer, base.FromServiceAccountMixin):
     """Signs messages with an RSA private key.
 
+    .. deprecated::
+        The `rsa` library has been archived. Please migrate to
+        `cryptography`.
+
     Args:
         private_key (rsa.key.PrivateKey): The private key to sign with.
         key_id (str): Optional key ID used to identify this private key. This
diff --git a/packages/google-auth/noxfile.py b/packages/google-auth/noxfile.py
@@ -129,6 +129,7 @@ def unit(session):
         "--cov-report=term-missing",
         "tests",
         "tests_async",
+        *session.posargs,
     )
 
 
diff --git a/packages/google-auth/tests/crypt/test__python_rsa.py b/packages/google-auth/tests/crypt/test__python_rsa.py
@@ -191,3 +191,12 @@ def test_from_service_account_file(self):
 
         assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID]
         assert isinstance(signer._key, rsa.key.PrivateKey)
+
+
+class TestModule(object):
+    def test_import_warning(self):
+        import importlib
+        from google.auth.crypt import _python_rsa
+
+        with pytest.warns(DeprecationWarning, match="The 'rsa' library is deprecated"):
+            importlib.reload(_python_rsa)

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,7 @@ def unit(session):`
`129`	`129`	`"--cov-report=term-missing",`
`130`	`130`	`"tests",`
`131`	`131`	`"tests_async",`
	`132`	`+ *session.posargs,`
`132`	`133`	`)`
`133`	`134`
`134`	`135`