Release Notes#

Changes for v3.2.2 (2024-01-28)#

  • Update upper bound on lxml dependency to allow lxml 5

  • Bump minimum dependency versions to align with Ubuntu 20.04

  • Test and release infrastructure improvements

Changes for v3.2.1 (2023-08-06)#

  • Use dataclass.replace in SignatureReference construction. Fixes #231

Changes for v3.2.0 (2023-04-12)#

  • Roundtrip referenced XML nodes before c14n to detach them from parent document when verifying (#225)

Changes for v3.1.1 (2023-04-08)#

  • Add type attribute to XAdES signed properties reference (#224)

Changes for v3.1.0 (2023-01-04)#

  • Use distinct default for payload c14n. Fixes #217

  • Deprecate SHA1

  • Test and documentation improvements

Changes for v3.0.2 (2022-11-28)#

  • Remove incorrect deprecation of xml-c14n11 URI

Changes for v3.0.1 (2022-11-27)#

  • Mark SHA1 as deprecated

  • Aggregate verification settings in SignatureConfiguration dataclass

  • Mark all dataclasses in API as frozen

  • Add ability to assert expected signature location

  • Add ability to assert expected signature algorithms

  • Add ability to assert expected digest algorithms

  • Add MGF1 (“RSASSA-PSS without parameters”) algorithm identifiers

  • Remove PSS (“RSASSA-PSS with parameters”) and EdDSA algorithm identifiers (given low usage and no interop examples, we will not be implementing PSS parameters for now; EdDSA key info additionally has no standardized way to serialize it)

  • Add debug logging of canonicalization outputs

  • Documentation and formatting improvements

Changes for v3.0.0 (2022-11-13)#

  • Add XAdES support

  • Migrate all configuration inputs to enums (string identifiers are still supported, but will be deprecated in a future version)

  • Migrate structured data inputs to dataclasses

  • Deprecate excise_empty_xmlns_declarations

  • Documentation and test infrastructure improvements

  • Clean up top level signxml and signxml.xades namespaces

  • Stop using default_backend for cryptography, it is no longer required

  • Drop Python 3.6 support (#200)

  • Drop Python 3.6 support.

Changes for v2.10.1 (2022-09-09)#

  • Do not excise any empty xmlns="" declarations by default. This behavior is now configurable as follows

    signer = XMLSigner()
signer.excise_empty_xmlns_declarations = True
signer.sign(...)

    verifier = XMLVerifier()
verifier.excise_empty_xmlns_declarations = True
verifier.verify(...)

  • Documentation and autoformatting improvements

Changes for v2.10.0 (2022-08-20)#

  • Excise empty xmlns declarations only in signature, not in payload

  • Add pyinstaller support to signxml (#188)

  • Documentation, test infrastructure, and code organization improvements

Changes for v2.9.0 (2021-10-08)#

  • Unlimit cryptography version constraint. Fixes #177

  • Bump pyOpenSSL compat range; add dep version strategy note

Changes for v2.8.2 (2021-05-14)#

  • Allow the combination of X509Data and KeyValue when they represent the same public key (#169)

  • Use self.namespaces signature properties “Object” element (#167)

Changes for v2.8.1 (2020-10-29)#

  • Allow cryptography versions >3 (but <4) (#164)

  • Add support for adding Signature Properties to a detached signature (#160)

Changes for v2.8.0 (2020-06-20)#

  • Compare raw digest bytes instead of base64 encoded digests. Fixes #155

  • Initial X509IssuerSerial/X509Digest support

  • Support custom inclusive_ns_prefixes when signing

Changes for v2.7.3 (2020-06-10)#

  • Fix ECDSA signature encoding/decoding (#150)

  • Add InclusiveNamespaces PrefixList support for SignedInfo

  • Test and documentation improvements

Changes for v2.7.2 (2019-12-01)#

  • Relax dependency version range on eight

  • Update dependency installation documentation

  • XMLSigner.sign(): add always_add_key_value kwarg to include both X509Data and KeyValue for ill-defined signing applications

  • XMLVerifier.verify(): reject signatures that contain both X509Data and KeyValue by default; add ignore_ambiguous_key_info kwarg to bypass

Changes for v2.7.1 (2019-11-30)#

  • Accept PEM keys as either str or bytes

Changes for v2.7.0 (2019-11-30)#

  • Drop defusedxml dependency; add security notes

  • Add missing c14n transform for enveloping and detached methods (#107)

  • Relax pyOpenSSL dependency version range to include version 19

  • Apply transforms and digest calculations to copies of root. Closes #125. (#126)

  • Documentation and test improvements

Changes for v2.6.0 (2019-01-10)#

  • Update dependencies to baseline on Ubuntu 18.04

  • Clarify documentation of Ubuntu installation dependencies

  • List ipaddress as a dependency

  • Strip PEM header from OpenSSL.crypto.X509 cert

  • Doc updates: dependency versions, standard links

  • Fix cryptography deprecation warnings. Closes #108

  • Allow URI attribute of Reference to be absent (#102)

Changes for v2.5.2 (2017-12-07)#

  • Fix release

Changes for v2.5.1 (2017-12-07)#

Fix release

Changes for v2.5.0 (2017-12-07)#

  • Relax dependency version constraints.

  • Drop Python 3.3 support.

  • Support for PEM files with CR+LF line endings (#93).

Changes for v2.4.0 (2017-07-10)#

  • Import asn1crypto on demand

  • Allow newer versions of cryptography library (#89)

Changes for v2.3.0 (2017-04-24)#

  • Add explicit dependency on asn1crypto to setup.py (#87)

  • Remove use of Exception.message for py3 compatibility. Closes #36 (#86)

  • Use asn1crypto instead of pyasn1 to match cryptography lib (#85)

  • Pin to major version of lxml instead of minor

  • Allow newer versions of several requirements (#84)

  • Allow newer version of eight library (#83)

Changes for v2.2.4 (2017-03-19)#

  • Documentation and test fixes

Changes for v2.2.3 (2016-12-20)#

  • Release automation: parse repo name correctly

Changes for v2.2.2 (2016-12-20)#

  • Expand supported cryptography version range. Fixes #74

  • Documentation and release automation improvements

Changes for v2.2.1 (2016-09-26)#

  • Fix handling of reference URIs in detached signing

  • Test infra fixes

Changes for v2.2.0 (2016-09-25)#

  • Support custom key info when signing

  • Initial elements of ws-security support

  • Support signing and verifying multiple references

Changes for v2.1.4 (2016-09-18)#

  • Only sign the referenced element when passed reference_uri (thanks to @soby).

  • Add CN validation - instead of a full X.509 certificate, it is now possible to pass a common name that will be matched against the CN of a cert trusted by the CA store.

  • Order-agnostic cert chain validation and friendlier ingestion of cert chains.

  • Minor/internal changes; packaging fix for 2.1.0

Changes for v2.1.0 (2016-09-18)#

  • Pre-release; see notes for v2.1.4

Version 2.0.0 (2016-08-05)#

  • Major API change: signxml.xmldsig(data).sign() -> signxml.XMLSigner().sign(data)

  • Major API change: signxml.xmldsig(data).verify() -> signxml.XMLVerifier().verify(data)

  • Signer and verifier objects now carry no data-specific state; instead carry system configuration state that is expected to be reused

  • Signer and verifier objects should now be safe to reuse in reentrant environments

  • Internal architecture changes to improve modularity and eliminate data-specific latent state and side effects

Version 1.0.2 (2016-08-01)#

  • Update xmlenc namespaces for downstream encryptxml support

Version 1.0.1 (2016-07-14)#

  • Packaging fix: remove stray .pyc file

Version 1.0.0 (2016-04-08)#

  • Major API change: Return signature information in verify() return value (#41, #50). Thanks to @klondi.

  • Major API change: Excise signature node from verify() return value to avoid possibly returning untrusted data (#47). Thanks to @klondi.

Version 0.6.0 (2016-03-24)#

  • Remove signature nodes appropriately (#46). Thanks to @klondi.

  • Expand Travis CI test to include flake8 linter.

Version 0.5.0 (2016-03-02)#

  • Add support for using a KeyName element within the KeyInfo block (#38). Thanks to @Pelleplutt.

  • Update cryptography dependency

  • Expand Travis CI test matrix to include OS X

Version 0.4.6 (2015-11-28)#

  • Python 3.5 compatibility fix: move enum34 into conditional dependencies (#37). Thanks to @agronholm.

Version 0.4.5 (2015-11-08)#

  • Support enveloped signatures nested at arbitrary levels beneath root element (#32, #33). Thanks to @jmindek.

  • Update certifi, cryptography dependencies

Version 0.4.4 (2015-08-07)#

  • Handle xml.etree.ElementTree nodes as input (previously these would cause a crash, despite the documentation suggesting otherwise). Closes #19, thanks to @nickcash.

Version 0.4.3 (2015-07-26)#

  • Do not open schema file in text mode when parsing XML (closes #18, thanks to @nick210)

  • Update cryptography dependency

Version 0.4.2 (2015-04-24)#

  • Add support for parameterizable signature namespace (PR #12, thanks to @ldnunes)

  • Update cryptography dependency

Version 0.4.1 (2015-04-21)#

  • Add support for detached signatures (closes #3)

  • Update pyOpenSSL dependency; use X509StoreContext.verify_certificate()

Version 0.4.0 (2015-03-08)#

  • Use pyasn1 for DER encoding and decoding, eliminating some DSA signature verification failures

Version 0.3.9 (2015-02-04)#

  • Do not distribute tests in source archive

Version 0.3.7 (2015-02-04)#

  • Configurable id attribute name for verifying non-standard internal object references, e.g. ADFS (closes #6)

Version 0.3.6 (2015-01-10)#

  • Python 3 compatibility fixes

  • Fix test matrix (Python version configuration) in Travis

Version 0.3.5 (2014-12-22)#

  • Refactor application of enveloped signature transforms

  • Support base64 transform

  • Support application of different canonicalization algorithms to signature and payload (closes #1)

Version 0.3.4 (2014-12-14)#

  • Add support for exclusive canonicalization with InclusiveNamespaces PrefixList attribute

Version 0.3.3 (2014-12-13)#

  • Overhaul support of canonicalization algorithms

Version 0.3.2 (2014-12-11)#

  • Fix bug in enveloped signature canonicalization of namespace prefixes

Version 0.3.1 (2014-10-17)#

  • Fix bug in enveloped signature excision

Version 0.3.0 (2014-10-16)#

  • Allow location of enveloped signature to be specified

Version 0.2.9 (2014-10-14)#

  • Use exclusive c14n when signing

Version 0.2.8 (2014-10-13)#

  • Namespace all tags when generating signature

Version 0.2.7 (2014-10-13)#

  • Switch default signing method to enveloped signature

Version 0.2.6 (2014-10-13)#

  • Fix typo in ns prefixing code

Version 0.2.5 (2014-10-13)#

  • Fix handling of DER sequences in DSA key serialization

  • Parameterize excision with ns prefix

Version 0.2.4 (2014-10-12)#

  • Fix excision with ns prefix

Version 0.2.3 (2014-10-12)#

  • Fixes to c14n of enveloped signatures

  • Expand tests to use the XML Signature interoperability test suite

Version 0.2.2 (2014-10-04)#

  • Load bare X509 certificates from SAML metadata correctly

Version 0.2.1 (2014-10-04)#

  • Always use X509 information even if key value is present

  • Internal refactor to modularize key value handling logic

Version 0.2.0 (2014-10-02)#

  • Use defusedxml when verifying signatures.

  • Eliminate dependency on PyCrypto.

  • Introduce support for ECDSA asymmetric key encryption.

  • Introduce ability to validate xmldsig11 schema.

  • Expand test suite coverage.

Version 0.1.9 (2014-09-27)#

  • Allow use of external X509 certificates for validation; add an example of supplying a cert from SAML metadata.

Version 0.1.8 (2014-09-25)#

  • Packaging fix.

Version 0.1.7 (2014-09-25)#

  • Packaging fix.

Version 0.1.6 (2014-09-25)#

  • Accept etree elements in verify.

Version 0.1.5 (2014-09-25)#

  • Packaging fix.

Version 0.1.4 (2014-09-25)#

  • Begin work toward conformance with version 1.1 of the spec.

Version 0.1.3 (2014-09-23)#

  • Require x509 for verification by default.

Version 0.1.2 (2014-09-22)#

  • Documentation fixes.

Version 0.1.1 (2014-09-22)#

  • Documentation fixes.

Version 0.1.0 (2014-09-22)#

  • Initial release.