From e3c718cc0e8dfa730469cd16fbd7796a0d6fd316 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Wed, 26 Mar 2025 13:54:46 -0600 Subject: [PATCH 1/2] Support the free-threaded build --- .../config/macos-pkg-choices-freethreaded.xml | 14 +++ .github/requirements/build-requirements.in | 3 +- .github/requirements/build-requirements.txt | 89 ++++++++++++++++++- .github/workflows/ci.yml | 5 +- .github/workflows/wheel-builder.yml | 47 ++++++++-- pyproject.toml | 6 +- src/rust/cryptography-cffi/build.rs | 11 ++- 7 files changed, 161 insertions(+), 14 deletions(-) create mode 100644 .github/config/macos-pkg-choices-freethreaded.xml diff --git a/.github/config/macos-pkg-choices-freethreaded.xml b/.github/config/macos-pkg-choices-freethreaded.xml new file mode 100644 index 000000000000..028f8e476fd8 --- /dev/null +++ b/.github/config/macos-pkg-choices-freethreaded.xml @@ -0,0 +1,14 @@ + + + + + + attributeSetting + 1 + choiceAttribute + selected + choiceIdentifier + org.python.Python.PythonTFramework-3.14 + + + diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 1a87ea6a00ba..5c4f10add4f2 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -1,6 +1,7 @@ # Must be kept sync with build-system.requires at pyproject.toml setuptools!=74.0.0 -cffi>=1.12; platform_python_implementation != 'PyPy' +cffi>=1.12; platform_python_implementation != 'PyPy' and python_version < '3.14' +cffi>=2.0.0b; platform_python_implementation != 'PyPy' and python_version >= '3.14' maturin>=1,<2 # Must be kept sync with build-system.requires at vectors/pyproject.toml diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 6ff90c76fafe..05b0542a5589 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -1,6 +1,6 @@ # This file was autogenerated by uv via the following command: # uv pip compile --universal --python-version 3.9 --allow-unsafe --generate-hashes build-requirements.in -o build-requirements.txt -cffi==1.17.1 ; platform_python_implementation != 'PyPy' \ +cffi==1.17.1 ; python_full_version < '3.14' and platform_python_implementation != 'PyPy' \ --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ @@ -84,8 +84,93 @@ maturin==1.9.3 \ --hash=sha256:d71e8ccfc96602b25ecca77074b4a3459f419ab29505e966b9f1e7cc316f7a3e \ --hash=sha256:f29cb1068396ee0376cf5b9f4dce706bea9f768555831d44259b316e25ce311d \ --hash=sha256:fb2ee86861e72495eb9afd83f3672de0e4061740247f14492703c189829e7928 +cffi==2.0.0b1 ; python_full_version >= '3.14' and platform_python_implementation != 'PyPy' \ + --hash=sha256:0dbbe4a9bfcc058fccfee33ea5bebe50440767d219c2efa3a722a90ed59e8cfa \ + --hash=sha256:0eb17b22e313c453c940931f5d063ba9e87e5db12d99473477ab1851e66fedb4 \ + --hash=sha256:142c9c0c75fbc95ce23836e538681bd89e483de37b7cdf251dbdf0975995f8ac \ + --hash=sha256:14505e4a82aa84abddab6e493946d3ed6bf6d268b58e4c2f5bcf8ec2dee2ca2d \ + --hash=sha256:14c0ade7949f088615450abf884064b4ef11e8c9917b99d53f12e06cdfd2cd36 \ + --hash=sha256:16dc303af3630f54186b86aadf1121badf3cba6de17dfeacb84c5091e059a690 \ + --hash=sha256:1f4ca4ac8b9ee620ff5cb4307fae08691a0911bf0eeb488e8d6cf55bd77dfe43 \ + --hash=sha256:2155d2a0819c3fdcaa37832fb69e698d455627c23f83bc9c7adbef699fe4be19 \ + --hash=sha256:230a97779cdd6734b6af3bfda4be31406bab58a078f25327b169975be9225a46 \ + --hash=sha256:2355cd38f375906da70a8bad548eb63f65bed43c1044ed075691fa36e8e8315a \ + --hash=sha256:265666e15da6974e6a74110873321e84c7c2288e379aca44a7df4713325b9be4 \ + --hash=sha256:27309de8cebf48e056550db6607e2fb2c50109b54fc72c02b3b34811233483be \ + --hash=sha256:2b08dd1a826b678d39aa78f30edc1b7d9bd1e5b7e5adc2d47e8f56ab25ac7c13 \ + --hash=sha256:2da933859e1465a08f36d88e0452194da27b9ff0813e5ba49f02c544682d40e0 \ + --hash=sha256:2ea57043b545f346b081877737cb0320960012107d0250fa5183a4306f9365d6 \ + --hash=sha256:2fd8f55419576289d7cd8c9349ea46a222379936136754ab4c2b041294b0b48d \ + --hash=sha256:314afab228f7b45de7bae55059b4e706296e7d3984d53e643cc0389757216221 \ + --hash=sha256:31b8e3204cdef043e59a296383e6a43461d17c5c3d73fa9cebf4716a561291b0 \ + --hash=sha256:339e853c75f69c726b1a85f2217db6880422f915770679c47150eea895e02b46 \ + --hash=sha256:352e1949f7af33c37b060d2c2ea8a8fa1be6695ff94f8d5f7738bacacb9d6de4 \ + --hash=sha256:39eedbed09879f6d1591ad155afcc162aa11ebf3271215339b4aef3df5631573 \ + --hash=sha256:3b8aee0176d80781a21855832c411cfd3126c34966650693ec1245f0b756498b \ + --hash=sha256:3ba9946f292f7ae3a6f1cc72af259c477c291eb10ad3ca74180862e39f46a521 \ + --hash=sha256:3cc3245802b4950bc5459a2ef9a650d948972e44df120ecd2c6201814c8edb54 \ + --hash=sha256:4210ddc2b41c20739c64dede1304fb81415220ea671885623063fab44066e376 \ + --hash=sha256:4440de58d19c0bebe6a2f3b721253d67b27aabb34e00ab35756d8699876191ea \ + --hash=sha256:47a91ab8d17ed7caed27e5b2eda3b3478f3d28cecb3939d708545804273e159b \ + --hash=sha256:4b69c24a89c30a7821ecd25bcaff99075d95dd0c85c8845768c340a7736d84cf \ + --hash=sha256:504d264944d0934d7b02164af5c62b175255ef0d39c5142d95968b710c58a8f6 \ + --hash=sha256:505bec438236c623d7cfd8cc740598611a1d4883a629a0e33eb9e3c2dcd81b04 \ + --hash=sha256:53c780c2ec8ce0e5db9b74e9b0b55ff5d5f70071202740cef073a2771fa1d2ce \ + --hash=sha256:53fbcfdb35760bc6fb68096632d29700bcf37fd0d71922dcc577eb6193fc6edc \ + --hash=sha256:5acd1da34b96c8881b5df0e3d83cdbecc349b9ad5e9b8c0c589646c241448853 \ + --hash=sha256:5f304ce328ecfb7bc36034374c20d0b4ae70423253f8a81c5e0b5efd90e29cd4 \ + --hash=sha256:5f373f9bdc3569acd8aaebb6b521080eeb5a298533a58715537caf74e9e27f6b \ + --hash=sha256:601ddbaa51b1bd96a92a6a26e855060390023ab600377280a9bed7703ed2a088 \ + --hash=sha256:60c2c1d7adf558b932de9e4633f68e359063d1a748c92a4a3cba832085e9819b \ + --hash=sha256:6a1faa47c7fbe0627f6b621dadebed9f532a789a1d3b519731304da1d3ec3d14 \ + --hash=sha256:6de033c73dc89f80139c5a7d135fbd6c1d7b28ebb0d2df98cd1f4ef76991b15c \ + --hash=sha256:6ff1ba153e0740c2ea47d74d015c1a03c3addab1681633be0838103c297b855c \ + --hash=sha256:71ab35c6cc375da1e2c06af65bf0b5049199ad9b264f9ed7c90c0fe9450900e3 \ + --hash=sha256:762dd8db1bd710f7b828b3c6cbb7101b5e190e722eb5633eb79b1a6b751e349a \ + --hash=sha256:765c82d4a73ded03bfea961364f4c57dd6cfe7b0d57b7a2d9b95e2e7bd5de6f7 \ + --hash=sha256:76a19efb88a495bb7377fc542c7f97c9816dfc1d6bb4ad147acb99599a83e248 \ + --hash=sha256:782f60714ea2935e5391a0f69ad4705624cdc86243b18dcfafd08565c28e89bd \ + --hash=sha256:7b17e92900eb61bce62ea07ea8dd0dc33aa476ee8f977918050e52f90f5b645c \ + --hash=sha256:7dfd6f8f57e812f3175aa0d4d36ed797b6ff35f7cdfefea05417569b543ddc94 \ + --hash=sha256:853e90e942246f9e098f16baa45896f80675f86ab6447823c4030a67c3cc112d \ + --hash=sha256:856eb353a42b04d02b0633c71123276710a5390e92a27fbd2446864ca7d27923 \ + --hash=sha256:87acb9e2221ed37c385c9cef866377fbaa13180de9ba1cdc4e6dc927b273c87f \ + --hash=sha256:8af08fd246d2a544c8b68c25c171809d08eed9372f2026ae48dad17d26525578 \ + --hash=sha256:916141ca9ff05e9f67fe73c39a527d96a7101191673dee9985e71cd164b55915 \ + --hash=sha256:91fc109a1412dd29657f442a61bb571baaa1d074628145008ceb54dc9bb13941 \ + --hash=sha256:9c70c77ec47b96a593477386d7bf23243996c75f1cc7ce383ba35dcedca9bd14 \ + --hash=sha256:9d04b5fc06ba0ce45d7e51dfd8a14dc20708ef301fcf5a215c507f4e084b00c8 \ + --hash=sha256:9e23ac717e8b3767c80198d483c743fe596b055a6e29ef34f9d8cdf61f941f2f \ + --hash=sha256:a160995771c54b12dc5a1ef44d6fd59aeea4909e2d58c10169156e9d9a7e2960 \ + --hash=sha256:a812e9ab7a0bfef3e89089c0359e631d8521d5efc8d21c7ede3f1568db689920 \ + --hash=sha256:a898f76bac81f9a371df6c8664228a85cdea6b283a721f2493f0df6f80afd208 \ + --hash=sha256:aaec3f41cd6f0ffda5e23365822710d747b8613d3b8f54e12b5d7dcde688300d \ + --hash=sha256:ab4aea2f93ab6c408f0c6be8ddebe4d1086b4966148f542fe11cf82ca698dc07 \ + --hash=sha256:adbed7d68bc8837eb2c73e01bc284b5af9898e82b6067a6cbffea4f1820626e4 \ + --hash=sha256:bce5ce4790b8347c2d7937312218d0282af344f8a589db163520a02fe8e42281 \ + --hash=sha256:bd7ce5d8224fb5a57bd7f1d9843aa4ecb870ec3f4a2101e1ba8314e91177e184 \ + --hash=sha256:bdd3ce5e620ff6ee1e89fb7abb620756482fb3e337e5121e441cb0071c11cbd0 \ + --hash=sha256:be957dd266facf8e4925643073159b05021a990b46620b06ca27eaf9d900dbc2 \ + --hash=sha256:c177aa1cdae420519665da22760f4a4a159551733d4686a4467f579bf7b75470 \ + --hash=sha256:c5713cac21b2351a53958c765d8e9eda45184bb757c3ccab139608e708788796 \ + --hash=sha256:cb351fade24f7ba9ca481bee53d4257053b9fa9da55da276fe1187a990a49dde \ + --hash=sha256:cbde39be02aa7d8fbcd6bf1a9241cb1d84f2e2f0614970c51a707a9a176b85c6 \ + --hash=sha256:cf1b2510f1a91c4d7e8f83df6a13404332421e6e4a067059174d455653ae5314 \ + --hash=sha256:d2ede96d5de012d74b174082dec44c58a35b42e0ea9f197063ddb5e504ee0c7e \ + --hash=sha256:d31ba9f54739dcf98edb87e4881e326fad79e4866137c24afb0da531c1a965ca \ + --hash=sha256:d88f849d03c9aa2d7bbd710a0e20266f92bf524396c7fce881cd5a1971447812 \ + --hash=sha256:e227627762046204df31c589d7406540778d05622e395d41fc68b7895d40c174 \ + --hash=sha256:e2920fa42cf0616c21ea6d3948ad207cf0e420d2d2ef449d86ccad6ef9c13393 \ + --hash=sha256:e342223ada6b1d34f3719d3612991924cb68fa7f8fb2ec22f5bda254882828ab \ + --hash=sha256:ebb116751a49977c0b130493d3af13c567c4613946d293d4f61601237fabcd5f \ + --hash=sha256:ecf72cb96106fbde29682db37569c7cee3ebf29ecf9ead46978679057c6df234 \ + --hash=sha256:f2ebc97ba03b26e9b6b048b6c3981165126905cb20564fbf6584f5e072a1c189 \ + --hash=sha256:f4b5acb4cddcaf0ebb82a226f9fa1d5063505e0c206031ee1f4d173750b592fd \ + --hash=sha256:fba9546b80f3b275f04915ffbca7b75aa22a353c4f6410469fb1d8c340ec1c31 \ + --hash=sha256:fe8cb43962af8e43facad740930fadc4cf8cdc1e073f59d0f13714711807979f \ + --hash=sha256:ffbbeedd6bac26c0373b71831d3c73181a1c100dc6fc7aadbfcca54cace417db # via -r build-requirements.in -pycparser==2.22 ; platform_python_implementation != 'PyPy' \ +pycparser==2.22 ; (python_full_version < '3.14' and platform_python_implementation != 'PyPy') or (implementation_name != 'PyPy' and platform_python_implementation != 'PyPy') \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1c7e55d4e14d..e872d09944da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,7 @@ jobs: - {VERSION: "3.13", NOXSESSION: "rust"} - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.5.2"}} - {VERSION: "3.14-dev", NOXSESSION: "tests"} + - {VERSION: "3.14t-dev", NOXSESSION: "rust,tests"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.11", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.13", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.5.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} @@ -58,7 +59,7 @@ jobs: - {VERSION: "3.13", NOXSESSION: "tests-rust-debug"} # Not actually an MSRV, just for coverage on this - {VERSION: "3.13", NOXSESSION: "tests", RUST: "1.87", OPENSSL: {TYPE: "openssl", VERSION: "3.5.2"}} - - {VERSION: "3.13", NOXSESSION: "tests", RUST: "1.87", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.5.2"}} + - {VERSION: "3.13", NOXSESSION: "tests", RUST: "1.87", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.5.1"}} timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -288,6 +289,7 @@ jobs: PYTHON: - {VERSION: "3.8", NOXSESSION: "tests"} - {VERSION: "3.13", NOXSESSION: "tests"} + - {VERSION: "3.14t-dev", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py38 won't work since there's no universal2 binary - PYTHON: {VERSION: "3.8", NOXSESSION: "tests"} @@ -356,6 +358,7 @@ jobs: PYTHON: - {VERSION: "3.8", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.13", NOXSESSION: "tests"} + - {VERSION: "3.14t-dev", NOXSESSION: "tests"} include: # Not in the main matrix because we want tests-nocoverage on Python # 3.13 diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 2884e1df01eb..a08e142eba86 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -67,6 +67,7 @@ jobs: PYTHON: - { VERSION: "cp311-cp311", ABI_VERSION: 'py38' } - { VERSION: "cp311-cp311", ABI_VERSION: 'py311' } + - { VERSION: "cp314-cp314t" } - { VERSION: "pp310-pypy310_pp73" } - { VERSION: "pp311-pypy311_pp73" } MANYLINUX: @@ -84,7 +85,7 @@ jobs: - { NAME: "manylinux_2_28_ppc64le", CONTAINER: "cryptography-manylinux_2_28:ppc64le", RUNNER: "ubuntu-24.04-ppc64le" } - { NAME: "manylinux_2_34_ppc64le", CONTAINER: "cryptography-manylinux_2_34:ppc64le", RUNNER: "ubuntu-24.04-ppc64le" } - + exclude: # There are no readily available musllinux PyPy distributions - PYTHON: { VERSION: "pp310-pypy310_pp73" } @@ -122,6 +123,14 @@ jobs: - PYTHON: { VERSION: "pp311-pypy311_pp73" } MANYLINUX: { NAME: "manylinux_2_28_ppc64le", CONTAINER: "cryptography-manylinux_2_28:ppc64le", RUNNER: "ubuntu-24.04-ppc64le" } + # CFFI 2.0.0b is missing manylinux2014 wheels + - PYTHON: { VERSION: "cp314-cp314t" } + MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } + - PYTHON: { VERSION: "cp314-cp314t" } + MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } + - PYTHON: { VERSION: "cp314-cp314t" } + MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" } + name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" steps: - name: Ridiculous-er workaround for static node20 @@ -161,7 +170,7 @@ jobs: # docker running on an arm64 CPU OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ - manylinux-entrypoint uv build --python=/opt/python/${{ matrix.PYTHON.VERSION }}/bin/python --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH $PY_LIMITED_API cryptography*.tar.gz -o tmpwheelhouse/ + manylinux-entrypoint uv build -v --python=/opt/python/${{ matrix.PYTHON.VERSION }}/bin/python --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH $PY_LIMITED_API cryptography*.tar.gz -o tmpwheelhouse/ env: RUSTUP_HOME: /root/.rustup - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptography*.whl -w wheelhouse/ @@ -217,6 +226,16 @@ jobs: # This will change in the future as we change the base Python we # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' + - VERSION: '3.14t' + DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.14.0/python-3.14.0rc1-macos11.pkg' + BIN_PATH: '/Library/Frameworks/PythonT.framework/Versions/3.14/bin/python3.14t' + DEPLOYMENT_TARGET: '10.13' + # This archflags is default, but let's be explicit + ARCHFLAGS: '-arch x86_64 -arch arm64' + # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 + # This will change in the future as we change the base Python we + # build against + _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - VERSION: 'pypy-3.10' BIN_PATH: 'pypy3' DEPLOYMENT_TARGET: '10.13' @@ -229,7 +248,7 @@ jobs: ARCHFLAGS: '-arch x86_64' name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - - name: Get build-requirements.txt from repository + - name: Get build configuration from repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # The tag to build or the tag received by the tag event @@ -238,6 +257,7 @@ jobs: sparse-checkout: | ${{ env.BUILD_REQUIREMENTS_PATH }} ${{ env.UV_REQUIREMENTS_PATH }} + .github/config/macos-pkg-choices-freethreaded.xml sparse-checkout-cone-mode: false - name: Setup python run: | @@ -245,7 +265,14 @@ jobs: sudo installer -pkg python.pkg -target / env: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} - if: contains(matrix.PYTHON.VERSION, 'pypy') == false + if: contains(matrix.PYTHON.VERSION, 'pypy') == false && matrix.PYTHON.VERSION != '3.14t' + - name: Setup free-threaded python + run: | + curl --max-time 30 --retry 5 "$PYTHON_DOWNLOAD_URL" -o python.pkg + sudo installer -pkg python.pkg -applyChoiceChangesXML .github/config/macos-pkg-choices-freethreaded.xml -target / + env: + PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} + if: matrix.PYTHON.VERSION == '3.14t' - name: Setup pypy uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: @@ -270,6 +297,9 @@ jobs: name: cryptography-sdist - run: ${{ matrix.PYTHON.BIN_PATH }} -m pip install -r "${UV_REQUIREMENTS_PATH}" + - name: add free-threaded python tools directory to PATH + run: echo "/Library/Frameworks/PythonT.framework/Versions/3.14/bin" >> "$GITHUB_PATH" + if: matrix.PYTHON.VERSION == '3.14t' - run: mkdir wheelhouse - name: Build the wheel run: | @@ -314,6 +344,7 @@ jobs: PYTHON: - {VERSION: "3.11", "ABI_VERSION": "py38"} - {VERSION: "3.11", "ABI_VERSION": "py311"} + - {VERSION: "3.14t-dev"} - {VERSION: "pypy-3.10"} - {VERSION: "pypy-3.11"} exclude: @@ -346,6 +377,7 @@ jobs: - name: Setup python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + id: setup-python with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -377,10 +409,13 @@ jobs: PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}" fi - uv build --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH cryptography*.tar.gz $PY_LIMITED_API -o wheelhouse/ + echo $PY_LIMITED_API + ls cryptography*.tar.gz + + uv build --python='${{ steps.setup-python.outputs.python-path }}' -v --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH cryptography*.tar.gz $PY_LIMITED_API -o wheelhouse/ shell: bash - - run: uv venv + - run: uv venv --python='${{ steps.setup-python.outputs.python-path }}' - run: uv pip install --require-hashes -r "${BUILD_REQUIREMENTS_PATH}" shell: bash - run: uv pip install cryptography --no-index -f wheelhouse/ diff --git a/pyproject.toml b/pyproject.toml index de210c38ac1f..22a911545808 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,8 @@ requires = [ "maturin>=1.8.6,<2", # Must be kept in sync with `project.dependencies` - "cffi>=1.14; platform_python_implementation != 'PyPy'", + "cffi>=1.14; platform_python_implementation != 'PyPy' and python_version < '3.14'", + "cffi>=2.0.0b; platform_python_implementation != 'PyPy' and python_version >= '3.14'", # Used by cffi (which import distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back) as # well as our build.rs for the rust/cffi bridge. @@ -48,7 +49,8 @@ classifiers = [ requires-python = ">=3.8,!=3.9.0,!=3.9.1" dependencies = [ # Must be kept in sync with `build-system.requires` - "cffi>=1.14; platform_python_implementation != 'PyPy'", + "cffi>=1.14; platform_python_implementation != 'PyPy' and python_version < '3.14'", + "cffi>=2.0.0b; platform_python_implementation != 'PyPy' and python_version >= '3.14'", ] [project.urls] diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 347e823a2868..4c0f37738545 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -78,8 +78,15 @@ fn main() { build.include(python_include); } - // Enable abi3 mode if we're not using PyPy. - if python_impl != "PyPy" { + let is_free_threaded = run_python_script( + &python, + "import sysconfig; print(bool(sysconfig.get_config_var('Py_GIL_DISABLED')), end='')", + ) + .unwrap() + == "True"; + + // Enable abi3 mode if we're not using PyPy or the free-threaded build + if !(python_impl == "PyPy" || is_free_threaded) { // cp38 (Python 3.8 to help our grep when we some day drop 3.8 support) build.define("Py_LIMITED_API", "0x030800f0"); } From 1fe8f0a712fec636e582fabbb13f597c34be2260 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Wed, 13 Aug 2025 10:46:17 -0600 Subject: [PATCH 2/2] add trove classifiers --- pyproject.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 22a911545808..191ca2eab852 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -42,8 +42,10 @@ classifiers = [ "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: 3.14", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: PyPy", + "Programming Language :: Python :: Free Threading :: 3 - Stable", "Topic :: Security :: Cryptography", ] requires-python = ">=3.8,!=3.9.0,!=3.9.1"