Post-mortem: breakage with cryptography>=44

[woodruffw]

PyCA cryptography 44 was released a few hours ago, which broke un-pinned installations of sigstore (e.g. pip install sigstore).

Root cause:

• We have an open-ended pin on cryptography >= 42:

  sigstore-python/pyproject.toml

  Line 29 in f08e11f

  "cryptography >= 42",

  We did this originally because cryptography is very stable, and we use no internal APIs.

• However, cryptography >=44 intentionally removes several ABCs as public APIs, including the SignedCertificateTimestamp ABC

• We depend on SignedCertificateTimestamp.register(...) to register our own SCT implementation for detached Fulcio SCT support:

  sigstore-python/sigstore/_internal/fulcio/client.py

  Line 170 in f08e11f

  SignedCertificateTimestamp.register(DetachedFulcioSCT)

As a result, unconstrained resolutions of sigstore's deps end with an import error when sigstore is used.

Resolutions:

• Short term: I've cut v3.5.3 as a patch release, which constrains cryptography < 44 to keep the existing code working
• Medium term: We need to remove our use of the SignedCertificateTimestamp ABC or, better yet, remove support for detached SCTs entirely: Removed support for detached SCTs #850
  • fulcio: remove ABC registration #1235
  • fulcio: remove detached SCT support #1236

In terms of limiting future regressions:

• We should pin to cryptography's major version and use Dependabot to keep updated, rather than using an open-ended resolution. pyproject: constrain cryptography < 44 #1229.
• We should have PyCA cryptography run sigstore's test suite as part of its CI/regression suite, like it does with some other downstreams: ci: add sigstore as a downstream test pyca/cryptography#12054

[woodruffw]

All resolution tasks have been completed here, so I'm closing this. I'll leave it pinned for a bit, though, so that users who experience breakage can find it.