Python-RSA 4.5 & 4.6 released!

18 Jun 2020 Last updated on 18 Jun 2020 3 min read

The final release of Python-RSA v4.6 can be obtained from the Python Package Index, or just installed with pip install --upgrade rsa. Running that upgrade command on Python 2.7 will automatically give you version 4.5, the last version to support Python 2.

This release contains improvements by Alexey Sveshnikov, Jon Dufresne , Andrey Semakin, Christian Heimes, Adelapie, and myself of course:

  • Added support for Python 3.8.
  • Dropped support for Python 2 and 3.4.
  • Added type annotations to the source code. This will make Python-RSA easier to use in your IDE, and allows better type checking.
  • Added static type checking via MyPy.
  • Fix #129 Installing from source gives UnicodeDecodeError.
  • Added support for SHA3 hashing: SHA3-256, SHA3-384, SHA3-512. This is only supported by Python 3.6+.
  • Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out.
  • Reject cyphertexts (when decrypting) and signatures (when verifying) that have been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks Adelapie for pointing this out.

More information on the Python-RSA page.

What about versions 4.1 - 4.4?

Ok, so here is the whole story about where versions 4.1 - 4.4 disappeared to.

After sitting on some smaller improvements for a while, in fairly rapid succession I received two reports about security issues. The first one was regarding the chosen blinding factor. The second one was more serious; serious enough to warrant a CVE: CVE-2020-13757.

Fortunately both issues were relatively easy to fix, so I rapidly released version 4.1. This was the first release to be built with Poetry and with SHA3 support. As it turned out, packages made with Poetry cannot be installed in a no-binaries environment, and the same goes for the SHA3 support library needed on Python 3.5. So, out came Python-RSA version 4.2 to resolve those issues.

Version 4.1 was also the first to discontinue support for Python 2.7. This version of Python has been marked end-of-life since the beginning of this year. That deprecation didn’t go too smoothly, though; apparently the setup.py code missed a bit of metadata that declares that the package requires Python 3.5+, so installations that were still using Python 2.7 were happily installing the new Python-RSA version, and failing badly.

To help the Python 2.7 users, I took Python-RSA 4.0 (the last one to support 2.7), cherry-picked the two security issues, and released it as Python-RSA version 4.3. After that I took version 4.2 and released that as version 4.4, this time with the right python_requires = ">=3.5" in place to make sure Python 2.7 won’t try to use it.

I tried to do it all too quickly, so I accidentally released version 4.4 without that python_requires stanza. So, still Python 2.7 installations tried to upgrade and got broken, which is why I re-released version 4.3 as version 4.5 and re-released version 4.4 as version 4.6.

There you go. Now you know.

encryption python
dr. Sybren A. Stüvel
dr. Sybren A. Stüvel
Open Source software developer, photographer, drummer, and electronics tinkerer

Related