Skip to content

Pin cryptography>=44.0.2 for PyPy 3.11 compatibility#46654

Open
rohitsinghal4u wants to merge 14 commits intomainfrom
fix/keyvault-pypy-cryptography
Open

Pin cryptography>=44.0.2 for PyPy 3.11 compatibility#46654
rohitsinghal4u wants to merge 14 commits intomainfrom
fix/keyvault-pypy-cryptography

Conversation

@rohitsinghal4u
Copy link
Copy Markdown
Contributor

@rohitsinghal4u rohitsinghal4u commented Apr 30, 2026

Problem

The keyvault-certificates pipeline (\python - keyvault) fails on the \Test ubuntu2404_pypy311\ job because the \mindependency\ check resolves \cryptography==40.0.2\ (via \pyopenssl), which has Rust bindings incompatible with PyPy 3.11:

\
ImportError: ...cryptography/hazmat/bindings/_rust.pypy311-pp73-x86_64-linux-gnu.so: undefined symbol: PySlice_AdjustIndices
\\

Failing build: https://dev.azure.com/azure-sdk/internal/_build/results?buildId=6234915

Fix

Pin \cryptography>=44.0.2\ in \dev_requirements.txt. Version 44.0.2 is the first release that ships PyPy 3.11 wheels (per the changelog).

Impact

  • Only affects dev/test dependencies, no production dependency changes.
  • Ensures the minimum dependency check resolves a PyPy 3.11-compatible \cryptography\ version.

singhalrohit4u and others added 3 commits April 15, 2026 16:22
@singhalrohit4u
[Key Vault] Fix MyPy error in KeyProperties.tags return type annotati…
5c5e806 
…on (#fix-mypy-keys)

Change tags property return type from Dict[str, str] to Optional[Dict[str, str]]
to match the actual implementation which can return None when no tags are set.

azure/keyvault/keys/_models.py:261: error: Incompatible return value type
(got 'Any | None', expected 'dict[str, str]') [return-value]
@singhalrohit4u
Merge branch 'fix/keyvault-certificates-san-ip-uri-validator'
5270909
@singhalrohit4u
Pin cryptography>=44.0.2 for PyPy 3.11 compatibility
f669e21 
The mindependency check was resolving cryptography==40.0.2 via pyopenssl,
which has incompatible Rust bindings on PyPy 3.11 (undefined symbol:
PySlice_AdjustIndices). Version 44.0.2 is the first to ship PyPy 3.11 wheels.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 30, 2026 23:01
@rohitsinghal4u rohitsinghal4u requested a review from a team as a code owner April 30, 2026 23:01
Copilot AI reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix the azure-keyvault-certificates minimum-dependency CI failure on PyPy 3.11 by ensuring the resolved cryptography version includes PyPy 3.11-compatible wheels.

Changes:

  • Add cryptography>=44.0.2 to azure-keyvault-certificates/dev_requirements.txt to force a PyPy 3.11-compatible cryptography during the mindependency run.
  • Update azure-keyvault-keys KeyProperties.tags return type to Optional[Dict[str, str]] and align the docstring accordingly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
sdk/keyvault/azure-keyvault-certificates/dev_requirements.txt Pins cryptography to avoid resolving an incompatible minimum version on PyPy 3.11.
sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_models.py Adjusts the tags property type annotation/docstring to allow None.

Comment thread sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_models.py
Comment thread sdk/keyvault/azure-keyvault-certificates/dev_requirements.txt Outdated
@rohitsinghal4u
Copy link
Copy Markdown
Contributor Author

rohitsinghal4u commented Apr 30, 2026

@copilot apply changes based on the comments in this thread

@rohitsinghal4u
Address PR review: revert _models.py change and add cryptography to p…
7b889b7 
…yproject.toml

Agent-Logs-Url: https://github.com/Azure/azure-sdk-for-python/sessions/5eb197c9-98b3-4aab-b6ff-e44add5af00e

Co-authored-by: rohitsinghal4u <5697065+rohitsinghal4u@users.noreply.github.com>
Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 30, 2026
edited
Loading

@copilot apply changes based on the comments in this thread

Done in commit 7b889b76:

  1. Reverted _models.py — The unrelated KeyProperties.tags type annotation change in azure-keyvault-keys has been reverted to its original Dict[str, str] return type; it no longer appears in this PR's diff.

  2. Added cryptography>=44.0.2 to pyproject.toml — The pin has been added to the [dependency-groups].dev list in azure-keyvault-certificates/pyproject.toml alongside the existing dev_requirements.txt entry, so the constraint applies regardless of whether pip or uv resolves dev dependencies.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • scanning-api.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@rohitsinghal4u
Copy link
Copy Markdown
Contributor Author

rohitsinghal4u commented Apr 30, 2026

@copilot apply changes based on the comments in this thread

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 30, 2026

@copilot apply changes based on the comments in this thread

These changes were already applied in commit 7b889b76:

  1. The unrelated KeyProperties.tags type annotation change in azure-keyvault-keys/_models.py has been reverted — it no longer appears in this PR's diff.
  2. cryptography>=44.0.2 has been added to both dev_requirements.txt and the [dependency-groups].dev list in pyproject.toml, so the constraint applies regardless of whether pip or uv is used.

singhalrohit4u and others added 2 commits April 30, 2026 19:33
@singhalrohit4u
Fix keyvault compatibility with cryptography 47.0.0
76e5dee 
- Add __deepcopy__ to KeyVaultRSAPublicKey and KeyVaultRSAPrivateKey
  to satisfy new abstract method added in cryptography 47.0.0
- Pin cryptography<47.0.0 in certificates dev_requirements.txt
  to avoid broken PyPy 3.11 wheel served by CI feed

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@rohitsinghal4u
Merge branch 'main' into fix/keyvault-pypy-cryptography
9031494
@rohitsinghal4u
Copy link
Copy Markdown
Contributor Author

rohitsinghal4u commented May 1, 2026

@copilot apply changes based on the comments in this thread

@rohitsinghal4u
Align cryptography constraint to >=44.0.2,<47.0.0 in both dev_require…
72621f2 
…ments.txt and pyproject.toml; restore _models.py to base state

Agent-Logs-Url: https://github.com/Azure/azure-sdk-for-python/sessions/a9fef9e3-33a3-405a-ac91-fc2cedda87de

Co-authored-by: rohitsinghal4u <5697065+rohitsinghal4u@users.noreply.github.com>
Copy link
Copy Markdown
Contributor

Copilot AI commented May 1, 2026
edited
Loading

@copilot apply changes based on the comments in this thread

Done in commit 72621f23:

  1. azure-keyvault-keys/_models.py — restored to the base branch state (Optional[Dict[str, str]]); it no longer appears in this PR's diff.
  2. dev_requirements.txt — updated to cryptography>=44.0.2,<47.0.0 (lower bound for PyPy 3.11 compatibility, upper bound to avoid the broken 47.0.0 wheels).
  3. pyproject.toml — updated to the same cryptography>=44.0.2,<47.0.0 constraint, keeping both dev dependency sources consistent.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • scanning-api.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

scbedd and others added 2 commits May 1, 2026 19:52
@scbedd
adjustments to keys requirements to handle new error case from newest…
78ec71e 
… crypto. adjust keys conftest for required changes for 3.14. allowed pyopenssl to pull new versions from upstream in the public/azure-sdk-for-python feed, so openssl related errors should also disappear.
@rohitsinghal4u
Merge branch 'main' into fix/keyvault-pypy-cryptography
51221f2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

KeyVault

Projects

Azure SDK for Key Vault
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rohitsinghal4u @singhalrohit4u @scbedd