Bump signxml from 2.6.0 to 4.0.4

[dependabot]

Bumps signxml from 2.6.0 to 4.0.4.

Release notes

Sourced from signxml's releases.

v4.0.4

This release contains security fixes for two security advisories:

• Signature verification with HMAC is vulnerable to an algorithm confusion attack (GHSA-6vx8-pcwv-xhf4)

• Signature verification with HMAC is vulnerable to a timing attack (GHSA-gmhf-gg8w-jw42)

v4.0.3

• Fix issue with support for deprecated PyOpenSSL certificates

  • Fully remove the ca_path parameter; add docs for signature location pinning

v4.0.2

• XAdES signing: remove duplicate timezone information from SigningTime (#266)

v4.0.1

• Verifier: Accept PyOpenSSL cert input, add deprecation warning

v4.0.0

• Replace PyOpenSSL with Cryptography (#260)

  - This is a major infrastructure change that replaces core
    certificate parsing, key processing, signature validation, and
    certificate chain validation functions previously provided by
    PyOpenSSL with those provided by Cryptography. Care was taken to
    preserve the exisitng API, including exception types, but many
    error messages raised in various error conditions have changed. If
    you see unexpected behavior and you have reason to believe it is
    incorrect, please file an issue.
  
  Breaking change: the ca_path parameter, previously used to specify
  
  CA certificate stores, is no longer supported. Use the ca_pem_file
  
  parameter instead.
  
  

• Raise error when invalid certificate string is passed as input to signer

• Fix public key matching for ECDSA (#245)

v3.2.2

• Update upper bound on lxml dependency to allow lxml 5

  • Bump minimum dependency versions to align with Ubuntu 20.04

  • Test and release infrastructure improvements

v3.2.1

• Use dataclass.replace in SignatureReference construction. Fixes #231

... (truncated)

Changelog

Sourced from signxml's changelog.

Changes for v4.0.4 (2025-06-01)

This release contains security fixes for two security advisories:

• Signature verification with HMAC is vulnerable to an algorithm confusion attack (GHSA-6vx8-pcwv-xhf4)

• Signature verification with HMAC is vulnerable to a timing attack (GHSA-gmhf-gg8w-jw42)

Changes for v4.0.3 (2024-11-23)

• Fix issue with support for deprecated PyOpenSSL certificates

• Fully remove the ca_path parameter; add docs for signature location pinning

Changes for v4.0.2 (2024-09-10)

• XAdES signing: remove duplicate timezone information from SigningTime (#266)

Changes for v4.0.1 (2024-08-30)

• Verifier: Accept PyOpenSSL cert input, add deprecation warning

Changes for v4.0.0 (2024-08-21)

• Replace PyOpenSSL with Cryptography (#260)

  • This is a major infrastructure change that replaces core certificate parsing, key processing, signature validation, and certificate chain validation functions previously provided by PyOpenSSL with those provided by Cryptography. Care was taken to preserve the exisitng API, including exception types, but many error messages raised in various error conditions have changed. If you see unexpected behavior and you have reason to believe it is incorrect, please file an issue.

  • Breaking change: the ca_path parameter, previously used to specify CA certificate stores, is no longer supported. Use the ca_pem_file parameter instead.

• Raise error when invalid certificate string is passed as input to

... (truncated)

Commits

• f7da15c v4.0.4
• 97e1f48 Remove Python 3.8 from CI matrix
• eb429d9 Use ubuntu 22.04 as the oldest ubuntu in CI
• 1d36531 Sort imports
• e3c0c2b Merge commit from fork
• 1b501fa Merge commit from fork
• 43e06b4 Update README.rst
• 9b79201 Update README.rst
• 3ec7505 Add note about comment canonicalization
• 2d818c9 Remove pre-release Python from test matrix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.