All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
1.0.7 - 2026-07-07
- macOS wheels are now self-contained: OpenSSL is vendored and statically linked
like the Linux wheels. Previously the published macOS wheel baked in an absolute
path to Homebrew's
openssl@3and failed to import on machines without that exact install (#276)
1.0.6 - 2026-04-08
- Fixed a bug where the verification incorrectly picked the leaf certificate. This allowed an attacker who could modify a timestamp response to make a legitimately-signed timestamp from TSA-A pass verification as if it came from TSA-B.
1.0.5 - 2025-09-23
- Bump
pyca/cryptographydependency upper bound to version 47
1.0.4 - 2025-08-11
- Timestamps are now verified with the timestamp time as reference time like the RFC says: this means that the certificate chain no longer needs to be valid at current time, it is enough for it to have been valid at timestamp time (#174)
1.0.3 - 2025-06-20
-
Exposed
verify_messagein the actualVerifyinterface, not just the implementation (#153) -
Fixed a bug where verification performed insufficient signature checks on the timestamp response itself, rather than the response's certificate chain
- Use
mypyfor type checking (#154)
1.0.2 - 2025-05-19
-
Added
HashAlgorithmto exports of the base package module (#143) -
Added
verify_messagemethod toVerifierclass (#144) -
Slight refactoring of the tests to ease how to test with multiple TSA (#145)
-
Changed return value of
VerifierBuilder.build()from_VerifiertoVerifier: This is technically an API change but should have minimal user impact. (#147)
- Fixed spelling of
hash_algorithmparameter inTimestampRequestBuilderclass (#131)
1.0.1 - 2025-03-24
-
The Verifier now enforces that the EKU (Extended Key Usage) explicitly includes the
id-kp-timeStampingOID (#120) -
The Verifier now searches for the leaf certificate in the Timestamp Response instead of using the first one provided (#121)
1.0.0 - 2024-12-31
TimestampRequestnow accepts setting the hash algorithm toSHA256(in addition toSHA512) (93)
0.1.2 - 2024-12-11
-
Moved
maturindependency from main project dependencies to development dependencies since it's only needed for development tasks (88) -
Relax cryptography version requirement (91)
- The project now correctly runs tests with PyPy (89)
0.1.1 - 2024-12-10
rfc3161-clientrelease0.1.0was previously published and yanked on PyPI, preventing republication (85)
0.1.0 - 2024-12-10
rfc3161-clientis now in beta (82).
- The minimum version of
cryptographyrequired is now44(#75)
0.0.4 - 2024-11-20
- TimestampResponse now has a
as_bytesmethod to retrieve the original request bytes (#62)
0.0.3 - 2024-11-06
- Magic method (
__eq__and__repr__) has been added for TimestampResponse and TimestampRequest (#48)
- The CI now correctly builds wheels for Windows (49)
0.0.2 - 2024-10-30
- Magic methods (
__hash__and__repr__) have been added for TimestampResponse and TimestampRequest (#32) VerifierBuilderis now the only way to create aVerifier(#35)
- The version is now correctly sourced from
pyproject.toml(#30) - The nonce generation no longer fails sporadically (#33)
Accuracynow correctly accepts valid inputs and enforce range invariants (#43)- Fixes a bug in how
TSTInfowas parsed (#45)
- The public API is now available directly from the main package module (#36)
0.0.1 - 2024-10-18
This is the first alpha release of rfc3161-client.