Skip to content

Allow newer cryptography and add Python 3.14 tox#670

Merged
dajiaji merged 2 commits into
dajiaji:mainfrom
achamayou:allow-cryptography49-python314-refresh-certs
Jun 30, 2026
Merged

Allow newer cryptography and add Python 3.14 tox#670
dajiaji merged 2 commits into
dajiaji:mainfrom
achamayou:allow-cryptography49-python314-refresh-certs

Conversation

@achamayou

Copy link
Copy Markdown
Contributor

Summary

This PR updates the project metadata and test fixtures for the current supported dependency/runtime landscape:

  • widens the direct cryptography dependency constraint from <47 to <50
  • adds Python 3.14 to the tox environment list and tox-gh-actions mapping as py314
  • refreshes the bundled server certificate fixture used by certificate validation sample tests

Why the certificate fixture changed

The existing tests/keys/certs/server.pem fixture expired on 2026-03-16. As of the current date, the certificate validation sample tests fail because cryptography.x509.verification correctly rejects the expired certificate at validation time.

The refresh keeps the existing server key and CA material, but regenerates the server certificate with a new validity window and updates the embedded x5c value in the JWK fixtures. That preserves the intent of the tests while making them pass under real certificate validation rules again.

Cryptography dependency note

This PR allows recent cryptography releases at the python-cwt direct dependency level by changing the range to <50. This is a metadata compatibility step toward accepting the current 49.x release line.

Poetry still cannot resolve cryptography==49.0.0 today because the required pyhpke dependency currently declares cryptography >=42.0.1,<47. A follow-up PR is needed in pyhpke to allow newer cryptography versions there too; once that is released, python-cwt should be able to pick up the newer cryptography line through the full dependency graph.

Validation

  • poetry run tox -l lists py314
  • poetry run pytest -ra tests passes: 1345 passed

Widen the direct cryptography constraint, add py314 to the tox matrix, and refresh the expired certificate fixture used by certificate validation tests.
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.01%. Comparing base (421cee2) to head (a444481).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #670   +/-   ##
=======================================
  Coverage   97.01%   97.01%           
=======================================
  Files          32       32           
  Lines        3445     3445           
=======================================
  Hits         3342     3342           
  Misses        103      103           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@achamayou

Copy link
Copy Markdown
Contributor Author

@dajiaji this is a minimal set of changes to enable usage of python-cwt with newer versions of the cryptography library and newer versions of the Python interpreter.

@dajiaji dajiaji merged commit 2973048 into dajiaji:main Jun 30, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants