Deprecation warning when signing/verifying JWKRSA objects

[canihavesomecoffee]

The cryptography extension has deprecated [1] (since 2.0 - 2017-07-17) the signer and verifiier methods, which results in this warning:

/var/www/workaround/venv/lib/python3.5/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)

Code I used to get this warning:

from acme import client
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa

import josepy as jose

private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096, backend=default_backend())
acme_client = client.Client( 'https://acme-v01.api.letsencrypt.org/directory', jose.JWKRSA(key=private_key))
regr = acme_client.register()

Environment:

• acme-0.22.2
• josepy-1.0.1
• cryptography-2.2.1
• Python 3.5.3

[1] pyca/cryptography#3659

[bmw]

Thanks for opening an issue. We'd take a well written PR to use the other APIs.

[mgedmin]

certbot renew now started emitting this warning from my cron script:

/opt/letsencrypt/local/lib/python2.7/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been
deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)

(It looks like the warning is emitted only when the certificate needs to be renewed, which makes this not as annoying as it would be if it were emitted on every run.)

[bolera]

Why was this closed? certbot issues this warning now with every cert request.

[bmw]

Because the issue was fixed in the josepy release over 4 months ago. How did you install Certbot?

[bolera]

Sorry, yes, I just noticed that I can follow that link and see it was merged in April. I'm getting certbot from the official repo, wait a minute. It says it's version 0.26.1. There's no newer one if I try to upgrade.
deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main

[bmw]

From our Ubuntu PPA? It looks like the maintainers haven't packed a version of josepy containing this fix. Thanks for pointing this out.

@NCommander, do you have the cycles to do this? It should be very simple as very little has changed since the previous version and it is packaged on Debian.

[bolera]

Yes, I updated my last reply twice.

[NCommander]

I'll take a crack at it tonight

…

On Wed, Aug 15, 2018, 13:52 bolera ***@***.***> wrote: Yes, I updated my last reply twice. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALDQOpfnMPUQes0bO_elR7qj0kQgsHfks5uRIoggaJpZM4S2sey> .

[stamster]

letsencrypt 0.4.1 having same issue.

/usr/lib/python2.7/dist-packages/acme/jose/jwa.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead. 
signer = key.signer(self.padding, self.hash) 

The renewal works, but this warning is sent into STDERR.

[Pat71]

Any news on this? I (re)installed certbot yesterday and keep getting this warning...

[bmw]

@hlieberman, the most recent comment is relevant to you and can be fixed by updating the version of josepy.

EDIT: It looks like the comment I was referring to was deleted, but a stretch-backports user was claiming to have this issue.

[Sambahoney]

Still having the same issue after installing from stretch-backports

[0xpr03]

I also installed via stretch-backports, as advised by your website, after having to re-install because of https ACME disabling.
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.

[hlieberman]

This should be fixed with the latest upload of certbot to stretch-backports. In any regard, it's simply a warning, and shouldn't mess with anything. (Albeit, being annoying).

…

-- Harlan Lieberman-Berg ~hlieberman

[bolera]

Not sure, if I should open a new ticket, but as it got already mentioned above: the Ubuntu ppa hasn't been updated yet. It's still on certbot 0.26.1 and josepy is still 1.0.1, uploaded in February. Would be nice to get new packages at least with major version jumps. Thanks!
https://launchpad.net/~certbot/+archive/ubuntu/certbot?field.series_filter=xenial

[jult]

/usr/local/lib/python2.7/dist-packages/josepy-1.0.1-py2.7.egg/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.

It's still there. With a clean debian 9, as far as python and certbot go.

[bmw]

@jult, that file path shows josepy 1.0.1 is being used. josepy 1.1.0 where this change is fixed is available in Debian 9. See https://packages.debian.org/stretch/python-josepy.

EDIT: It's also in /usr/local which suggests to me the package being used is not from Debian and is likely from pip.

[jult]

@bmw Yes, I fixed it doing

$ pip uninstall josepy
$ pip install josepy

Strange how I got there without recalling a pip install.