PyPI packages (1.14.1, 2.1.0) missing SECP256R1 curve fix from commit 7bb3b19 #179
Description
Bug Description:
The PyPI-published versions of pywebpush (1.14.1 and 2.1.0) contain a bug that causes TypeError: curve must be an EllipticCurve instance when used with cryptography >= 40.x.
Root Cause:
In pywebpush/init.py, the code calls:
server_key = ec.generate_private_key(ec.SECP256R1, default_backend())
This should be:
server_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
Status in Git vs PyPI:
- ✅ GitHub repo (commit 7bb3b19, Jan 24 2024): HAS THE FIX
- ✅ Git tags 2.0.0, 2.0.1, 2.1.0: HAVE THE FIX
- ❌ PyPI pywebpush==1.14.1: HAS THE BUG
- ❌ PyPI pywebpush==2.1.0: HAS THE BUG
Impact:
This breaks web push notifications for anyone using modern cryptography library versions (46.x+), which is the current latest.
Error Stacktrace:
TypeError: curve must be an EllipticCurve instance
File "pywebpush/init.py", line 203, in encode
server_key = ec.generate_private_key(ec.SECP256R1, default_backend())
Reproduction:
pip install pywebpush==2.1.0 cryptography==46.0.2
python3 -c "from pywebpush import webpush; webpush(...)" # Fails
Request:
Could you please rebuild and republish the PyPI packages for versions 2.0.1 and 2.1.0 from their respective git tags? This would resolve the issue for all users.
Workaround (for users):
Install from git directly:
pip install git+https://github.com/web-push-libs/[email protected]
Environment:
- pywebpush: 2.1.0 (from PyPI)
- cryptography: 46.0.2
- Python: 3.10