# python3-synta.spec.in — Fedora RPM packaging for the synta Python bindings
#
# Source package: python3-synta
#
# NOTE: Source0 is a git archive of the synta workspace, NOT the synta-python
# crate tarball from crates.io. The maturin build system requires:
# - pyproject.toml (workspace root, references synta-python/Cargo.toml)
# - python/ (Python source files: __init__.py, krb5.py, cms.py, …)
# Neither of these files is included in the synta-python crates.io tarball.
# A full git archive is therefore used as Source0.
#
# Binary packages produced:
# python3-synta Python extension module (PyO3 / maturin, abi3-py38+)
# python3-synta-doc Python bindings documentation
#
# Source preparation notes
# ─────────────────────────
# Source0 (workspace tarball):
# git archive --prefix=synta-%%{version}/ v%%{version} \
# | gzip > synta-%%{version}.tar.gz
# (Use 'make python-tarball' from contrib/packages/ to automate this.)
#
# Source1 (vendor tarball):
# Same approach as the workspace spec: apply the workspace patch to remove
# synta-bench (publish=false, pulls git-only deps) and the [patch.crates-io]
# git overrides that break offline cargo invocations, then run cargo vendor.
# 'make python-vendor' in contrib/packages/ regenerates this tarball.
#
# Version note: the Python package version is governed by pyproject.toml
# (currently 0.1.0); the synta-python Rust crate version (Cargo.toml) may
# differ. The RPM Version field tracks the Python package version.
# Update pyproject.toml whenever bumping the Python package release.
# Suppress the pyproject buildsystem auto-detection hook.
# RPM 4.20 passes -d (dependency-groups) to this hook but pyproject-rpm-macros
# 1.18 does not accept that flag. All Python build requirements are listed
# statically below so the hook output is not needed.
%global buildsystem_pyproject_generate_buildrequires() %nil
%global crate synta
%global snapdate 0
%global snapcommit 0
Name: python3-%{crate}
Version: 0.2.6
Release: 1.%{snapdate}.git%{snapcommit}%{?dist}
Summary: Python bindings for the Synta ASN.1 library
License: MIT OR Apache-2.0
URL: https://codeberg.org/abbra/synta
Source0: %{crate}-%{version}.tar.gz
Source1: %{crate}-%{version}-vendor.tar.gz
Patch0001: 0001-packaging-remove-synta-bench-from-workspace.patch
# Rust build infrastructure
BuildRequires: cargo-rpm-macros >= 25
# Python extension (maturin / PyO3)
BuildRequires: python3-devel
BuildRequires: python3-pip
BuildRequires: pyproject-rpm-macros
BuildRequires: %{py3_dist maturin} >= 1.0
BuildRequires: %{py3_dist maturin} < 2.0
# pytest is in [dependency-groups] dev in pyproject.toml; list it explicitly
# because the pyproject buildrequires macro without -d does not emit it.
BuildRequires: %{py3_dist pytest} >= 7
# OpenSSL development headers (openssl-devel). The maturin build enables
# both the openssl and deprecated-pkcs12-algorithms features (PQC ML-DSA /
# ML-KEM support); the vendor tarball includes the PQC-capable rust-openssl
# fork (github.com/abbra/rust-openssl, branch pqc-prs). OpenSSL 3.5+
# system libraries are required for ML-DSA/ML-KEM at runtime.
BuildRequires: openssl-devel
# Rust crate dependencies installed as system packages.
BuildRequires: rust-synta-devel >= 0.1.4
BuildRequires: rust-synta-certificate-devel >= 0.1.4
BuildRequires: rust-synta-krb5-devel >= 0.1.4
BuildRequires: rust-synta-mtc-devel >= 0.1.4
BuildRequires: rust-synta-derive-devel >= 0.1.4
BuildRequires: rust-synta-x509-verification-devel >= 0.1.4
%description
Python bindings for the Synta high-performance ASN.1 parser and encoder,
providing a Python API for DER/BER decoding, DER encoding, X.509 certificate
and PKI structure parsing, PKCS#7/PKCS#12 archive reading, Kerberos V5
ASN.1 structure handling, SPNEGO/GSSAPI negotiation token parsing, Merkle
Tree Certificate support, and RFC 5280 / CABF X.509 certificate chain
verification (synta.x509 submodule, backed by OpenSSL).
The main extension module (_synta.abi3.so) is built with maturin; two
additional per-subsystem modules are built separately with cargo:
_krb5.abi3.so (Kerberos V5 + SPNEGO/GSSAPI) and _mtc.abi3.so (Merkle Tree
Certificates). All modules use PyO3 against the stable Python ABI (abi3)
and are compatible with Python 3.8 and later.
# ──────────────────────────────────────────────────────────────────────────────
# python3-synta-doc — Python bindings documentation
# ──────────────────────────────────────────────────────────────────────────────
%package doc
Summary: Documentation for the python3-synta Python bindings
License: MIT OR Apache-2.0
BuildArch: noarch
%description doc
User guide and reference documentation for the python3-synta Python bindings,
including the Python API overview, bindings reference, and integration guide.
# ══════════════════════════════════════════════════════════════════════════════
# PREP
# ══════════════════════════════════════════════════════════════════════════════
%prep
%autosetup -n %{crate}-%{version} -p1
# Extract the vendor tarball; same approach as the workspace spec.
tar xf %{SOURCE1}
# Set up .cargo/config.toml pointing all crate lookups at vendor/ for offline
# builds. %%cargo_prep -v vendor writes the crates-io → vendored-sources stanza.
%cargo_prep -v vendor
# Append any git-source redirect stanzas saved during 'cargo vendor'.
awk '/^\[source\."git\+/{s=1; print; next} /^\[/{s=0} s{print} /^[[:space:]]*$/{s=0}' \
vendor-config.toml >> .cargo/config.toml || :
# ══════════════════════════════════════════════════════════════════════════════
# GENERATE BUILD REQUIREMENTS
# ══════════════════════════════════════════════════════════════════════════════
%generate_buildrequires
%cargo_generate_buildrequires
# All Python build requirements are listed statically in BuildRequires above;
# %%pyproject_buildrequires is intentionally omitted to avoid version-dependent
# macro behavior when building the SRPM locally.
# ══════════════════════════════════════════════════════════════════════════════
# BUILD
# ══════════════════════════════════════════════════════════════════════════════
%build
# %%pyproject_wheel calls `maturin build --release` via the maturin backend
# declared in pyproject.toml. maturin respects CARGO_HOME / .cargo/config.toml
# set up by %%cargo_prep above, so it uses the vendored crate sources.
%pyproject_wheel
# Build the per-subsystem extension modules that are not managed by maturin.
# _krb5.so covers both synta.krb5 and synta.spnego (SPNEGO is always used
# alongside Kerberos so both live in the same shared library).
cargo build --release -p synta-python-krb5 --features openssl
cargo build --release -p synta-python-mtc --features openssl
# ══════════════════════════════════════════════════════════════════════════════
# INSTALL
# ══════════════════════════════════════════════════════════════════════════════
%install
%pyproject_install
# Install the per-subsystem extension modules built above.
# The abi3 naming (_NAME.abi3.so) matches the PyO3 abi3-py38 feature used
# by each crate and is consistent with the _synta.abi3.so installed by maturin.
# _krb5.abi3.so covers both synta.krb5 and synta.spnego.
install -pm 755 target/release/lib_krb5.so \
%{buildroot}%{python3_sitearch}/synta/_krb5.abi3.so
install -pm 755 target/release/lib_mtc.so \
%{buildroot}%{python3_sitearch}/synta/_mtc.abi3.so
# Install the Python bindings documentation.
install -d %{buildroot}%{_docdir}/python3-%{crate}-doc/examples
install -pm 644 examples/*.py %{buildroot}%{_docdir}/python3-%{crate}-doc/examples/
install -pm 644 \
synta-python/README.md \
synta-python/CHANGELOG.md \
%{buildroot}%{_docdir}/python3-%{crate}-doc/
# ══════════════════════════════════════════════════════════════════════════════
# CHECK
# ══════════════════════════════════════════════════════════════════════════════
%check
%pytest tests/python/
# ══════════════════════════════════════════════════════════════════════════════
# FILES
# ══════════════════════════════════════════════════════════════════════════════
# ── python3-synta ─────────────────────────────────────────────────────────────
%files
%license LICENSE-MIT LICENSE-APACHE
# The synta Python package directory: __init__.py, _synta.abi3.so and all
# pure-Python submodules (krb5.py, cms.py, oids/, …), plus the three
# per-subsystem extension modules installed manually above.
%{python3_sitearch}/synta/
%{python3_sitearch}/synta-%{version}.dist-info/
# ── python3-synta-doc ─────────────────────────────────────────────────────────
%files doc
%license LICENSE-MIT LICENSE-APACHE
%{_docdir}/python3-%{crate}-doc/README.md
%{_docdir}/python3-%{crate}-doc/CHANGELOG.md
%{_docdir}/python3-%{crate}-doc/examples/
# ══════════════════════════════════════════════════════════════════════════════
# CHANGELOG
# ══════════════════════════════════════════════════════════════════════════════
%changelog
* Tue Jun 09 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.2.5-1
- synta-tools: MTC certificate display and verification; cert subcommand now
recognises X.509 wrappers, StandaloneCertificate, LandmarkCertificate;
new --subtree-root option verifies Merkle inclusion proofs
- synta-mtc: extensions prefix in TLS leaf hash wire format (breaking change)
- synta-certificate: FailedKeySigner feature gating fix
* Tue May 27 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.2.4-1
- synta.mtc.CosignerID redesigned to wrap an OBJECT IDENTIFIER (breaking change)
- synta.mtc.ProofNode.is_left property removed; ProofNode now a plain OCTET STRING
- synta-mtc: MtcProof wire format updated (extensions field, uint48 range, uint8 cosigner_id prefix)
- synta-mtc: issuerUniqueID/subjectUniqueID corrected to IMPLICIT tagging
- pqc feature enabled by default in wheels (composite ML-DSA on OpenSSL 3.3+)
- pkcs12: use SHA digest OID in MacData.digestAlgorithm, not hmacWithSHAxxx
- x509-verification: add composite ML-DSA OIDs to policy allowlists
* Sun May 24 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.2.3-1
- Add composite ML-DSA signing and verification (draft-ietf-lamps-pq-composite-sigs-19):
18 algorithm variants (ML-DSA-44/65/87 paired with RSA-PSS, RSA-PKCS#1v15, ECDSA,
Ed25519, Ed448); PrivateKey.generate_composite_ml_dsa(sub_arc) exposed to Python;
composite ML-DSA OIDs in synta.oids at runtime
- Add @asn1_sequence_of schema decorator for naked SEQUENCE OF types
- Add RFC 9118 EnhancedJWTClaimConstraints example
- Fix synta.schema re-export in __init__.pyi
* Fri May 08 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.2.2-1
- Version bump to stay in sync with workspace; no functional changes
* Sat May 02 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.2.1-1
- Certificate serial numbers enforce RFC 5280 §4.1.2.2: high-bit padding and
20-byte cap; CRL/OCSP serial decoding fixed with from_unsigned_bytes()
* Fri May 01 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.2.0-1
- Add synta.pkcs11 submodule: Pkcs11Token with find_key, list_keys,
delete_key, generate_key_pair; list_slots(); SlotInfo, KeyInfo types;
PINs redacted in error messages and repr output
* Thu Apr 30 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.12-1
- Bump to 0.1.12; add synta.ext.crl_number() and synta.oids.CRL_NUMBER
- CertificateListBuilder.add_extension() now accepts str or ObjectIdentifier
- CMS SignedDataBuilder internals rewritten to use generated ASN.1 types
- PKCS#9 attribute OIDs replaced with named synta.oids constants
* Thu Apr 30 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.11-1
- Bump to 0.1.11; add OCSPRequest, CertID parsed types and OCSPRequestBuilder
- Add OCSPCertIDSpec input spec; expose OCSPRequest/CertID to Python bindings
* Tue Apr 28 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.10-1
- Bump to 0.1.10; add OCSPRequest and CertID Python parsed types
* Sun Apr 26 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.9-1
- Bump to 0.1.9; add SignedDataBuilder, from_pkcs11_uri, create_pkcs12 cipher/mac args
- Add synta-python-common/krb5/mtc to publish order; fix maturin manifest-path for krb5/mtc wheels
- Fix sub-crate pyproject.toml version bumping in release.py
* Fri Apr 10 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.4-1
- Bump to 0.1.4; update BuildRequires to >= 0.1.4 for all rust-synta-* crates
- Update workspace patch: add synta-python-common/krb5/mtc members
- Vendor PQC-capable rust-openssl fork (pqc-prs) in Source1; enable
deprecated-pkcs12-algorithms maturin feature for ML-DSA/ML-KEM support
- Fix tests path (tests/python/), fix doc file paths (synta-python/README.md)
* Sun Apr 05 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.3-1
- Add CertificationRequest extension API, CertificateList version/crl_number,
PublicKey.from_rsa/ec_components, and 8 new synta.oids.attr constants
* Mon Mar 23 2026 Alexander Bokovoy <abokovoy@redhat.com> - 0.1.0-1
- Initial individual package (split from synta workspace spec)