build(deps): bump cryptography from 43.0.3 to 44.0.0

[dependabot]

Bumps cryptography from 43.0.3 to 44.0.0.

Changelog

Sourced from cryptography's changelog.

44.0.0 - 2024-11-27

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.9.
* Deprecated Python 3.7 support. Python 3.7 is no longer supported by the
  Python core team. Support for Python 3.7 will be removed in a future
  ``cryptography`` release.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
* macOS wheels are now built against the macOS 10.13 SDK. Users on older
  versions of macOS should upgrade, or they will need to build
  ``cryptography`` themselves.
* Enforce the :rfc:`5280` requirement that extended key usage extensions must
  not be empty.
* Added support for timestamp extraction to the
  :class:`~cryptography.fernet.MultiFernet` class.
* Relax the Authority Key Identifier requirements on root CA certificates
  during X.509 verification to allow fields permitted by :rfc:`5280` but
  forbidden by the CA/Browser BRs.
* Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`
  when using OpenSSL 3.2.0+.
* Added support for the :class:`~cryptography.x509.Admissions` certificate extension.
* Added basic support for PKCS7 decryption (including S/MIME 3.2) via
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`,
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`.
.. _v43-0-3:

Commits

• f299a48 remove deprecated call (#12052)
• 439eb05 Bump version for 44.0.0 (#12051)
• 2c5ad4d chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)
• d23968a chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)
• 133c0e0 Bump x509-limbo and/or wycheproof in CI (#12047)
• f2259d7 Bump BoringSSL and/or OpenSSL in CI (#12046)
• e201c87 fixed metadata in changelog (#12044)
• c6104cc Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)
• d6cac75 Add support for decrypting S/MIME messages (#11555)
• b8e5bfd chore(deps): bump libc from 0.2.164 to 0.2.165 (#12042)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jku]

I'm a bit surprised this passes tests considering the explanation in #1229

[jku]

I'm a bit surprised this passes tests considering the explanation in #1229

This is pretty interesting, excerpts from install log:

Collecting cryptography<45,>=42 (from sigstore==3.5.3)
  Using cached cryptography-44.0.0-cp39-abi3-manylinux_2_34_x86_64.whl.metadata (5.7 kB)

...

Collecting cryptography<45,>=42 (from sigstore==3.5.3)
  Using cached cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl.metadata (5.4 kB)

...

Using cached cryptography-43.0.3-cp39-abi3-manylinux_2_28_x86_64.whl (4.0 MB)

...

Successfully installed ...  cryptography-43.0.3 ... 

[jku]

This does not look safe at the moment, marking "request changes"

[di]

Looks like this is because rfc3161-client==0.0.4 is also constraining to cryptography<44,>=43:

$ python -m pip install cryptography==44.0.0 -e .[test]
Obtaining file:///home/di/git/sigstore/sigstore-python
  Installing build dependencies ... done
  Checking if build backend supports build_editable ... done
  Getting requirements to build editable ... done
  Preparing editable metadata (pyproject.toml) ... done
Collecting cryptography==44.0.0
  Using cached cryptography-44.0.0-cp39-abi3-manylinux_2_28_x86_64.whl (4.2 MB)
Collecting cffi>=1.12 (from cryptography==44.0.0)
  Using cached cffi-1.17.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (467 kB)
Collecting id>=1.1.0 (from sigstore==3.5.3)
  Downloading id-1.4.0-py3-none-any.whl (13 kB)
Collecting pyasn1~=0.6 (from sigstore==3.5.3)
  Downloading pyasn1-0.6.1-py3-none-any.whl (83 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 83.1/83.1 kB 1.7 MB/s eta 0:00:00
Collecting pydantic<3,>=2 (from sigstore==3.5.3)
  Downloading pydantic-2.10.2-py3-none-any.whl (456 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 456.4/456.4 kB 12.3 MB/s eta 0:00:00
Collecting pyjwt>=2.1 (from sigstore==3.5.3)
  Downloading PyJWT-2.10.1-py3-none-any.whl (22 kB)
Collecting pyOpenSSL>=23.0.0 (from sigstore==3.5.3)
  Downloading pyOpenSSL-24.3.0-py3-none-any.whl (56 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 56.1/56.1 kB 6.6 MB/s eta 0:00:00
Collecting requests (from sigstore==3.5.3)
  Downloading requests-2.32.3-py3-none-any.whl (64 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 64.9/64.9 kB 7.3 MB/s eta 0:00:00
Collecting rich~=13.0 (from sigstore==3.5.3)
  Downloading rich-13.9.4-py3-none-any.whl (242 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 242.4/242.4 kB 24.1 MB/s eta 0:00:00
Collecting rfc8785~=0.1.2 (from sigstore==3.5.3)
  Downloading rfc8785-0.1.4-py3-none-any.whl (9.2 kB)
Collecting rfc3161-client==0.0.4 (from sigstore==3.5.3)
  Downloading rfc3161_client-0.0.4-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 53.9 MB/s eta 0:00:00
Collecting sigstore-protobuf-specs==0.3.2 (from sigstore==3.5.3)
  Downloading sigstore_protobuf_specs-0.3.2-py3-none-any.whl (24 kB)
Collecting sigstore-rekor-types==0.0.18 (from sigstore==3.5.3)
  Downloading sigstore_rekor_types-0.0.18-py3-none-any.whl (20 kB)
Collecting tuf~=5.0 (from sigstore==3.5.3)
  Downloading tuf-5.1.0-py3-none-any.whl (50 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 50.8/50.8 kB 5.8 MB/s eta 0:00:00
Collecting platformdirs~=4.2 (from sigstore==3.5.3)
  Using cached platformdirs-4.3.6-py3-none-any.whl (18 kB)
Collecting pytest (from sigstore==3.5.3)
  Downloading pytest-8.3.4-py3-none-any.whl (343 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 343.1/343.1 kB 28.7 MB/s eta 0:00:00
Collecting pytest-cov (from sigstore==3.5.3)
  Downloading pytest_cov-6.0.0-py3-none-any.whl (22 kB)
Collecting pretend (from sigstore==3.5.3)
  Using cached pretend-1.0.9-py2.py3-none-any.whl (3.8 kB)
Collecting coverage[toml] (from sigstore==3.5.3)
  Downloading coverage-7.6.8-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (238 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 238.7/238.7 kB 20.9 MB/s eta 0:00:00
Collecting maturin<2.0,>=1.7 (from rfc3161-client==0.0.4->sigstore==3.5.3)
  Downloading maturin-1.7.7-py3-none-manylinux_2_12_x86_64.manylinux2010_x86_64.musllinux_1_1_x86_64.whl (7.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.9/7.9 MB 71.8 MB/s eta 0:00:00
INFO: pip is looking at multiple versions of rfc3161-client to determine which version is compatible with other requirements. This could take a while.
ERROR: Cannot install cryptography==44.0.0, sigstore and sigstore[test]==3.5.3 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested cryptography==44.0.0
    sigstore[test] 3.5.3 depends on cryptography<45 and >=42
    rfc3161-client 0.0.4 depends on cryptography<44 and >=43

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

So this is probably blocked on trailofbits/rfc3161-client#74.

[woodruffw]

Yep, that's why -- that constraint saves us on main but it didn't save us on the 3.5.0 release since we hadn't landed the TSA/TSP changes in a release yet 🙂

We'll get the rfc3161-client changes landed today to unblock here.

[woodruffw]

There's an impressive stack of yaks here: I've prepped a new release of rfc3161-client, but the underlying build backend (maturin) decided to switch to metadata 2.4 before a stable version of twine supported that version.

As a result, gh-action-pypi-publish (and twine) can't currently publish new maturin-built wheels: https://github.com/trailofbits/rfc3161-client/actions/runs/12122650623/job/33796528057

pypa/gh-action-pypi-publish#309 should unblock things there.

[woodruffw]

/gcbrun

[woodruffw]

/gcbrun

[woodruffw]

This should be good to go now, and will unblock #1246 once we do a release here.

[jku]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[jku]

@dependabot recreate

[jku]

/gcbrun

[jku]

this still practically installs cryptography 43 but seems fine: we'll see the reality once #1246 lands