Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OS Dates before 01/01/2011 are broken #46

elementalistic opened this issue Jul 2, 2015 · 1 comment · Fixed by alphagov/notifications-admin#3314

OS Dates before 01/01/2011 are broken #46

elementalistic opened this issue Jul 2, 2015 · 1 comment · Fixed by alphagov/notifications-admin#3314


Copy link

I'm using an embedded linux with a startup kernal time of 01/01/2010, with flask hosted site as a config tool. If the device doesn't have an internet connection (to update time from NTP), and they trigger TimeStampSigner.sign() function in, the int_to_byte assert fails as num is < 0.

I've not delved into why the logic expects the date to be greater then 2011, but it breaks it for me.

Copy link

egorf commented Jul 29, 2015

I have the same problem. I am using a flask app in an embedded Linux IOT device. Default startup time is 01.01.2000. Do you guys plan to fix this? The only workaround I found is setting date on startup every time.
Another question is why is it exactly 2011?
Thank you!

stereosteve pushed a commit to stereosteve/itsdangerous that referenced this issue Jul 7, 2016

1/1/2011 cutoff was removed, but comment was not updated.
davidism pushed a commit that referenced this issue Jul 7, 2016

1/1/2011 cutoff was removed, but comment was not updated.
@davidism davidism added this to the 1.0.0 milestone Sep 28, 2018
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Nov 10, 2018
Version 1.1.0

Released 2018-10-26

-   Change default signing algorithm back to SHA-1. (`#113`_)
-   Added a default SHA-512 fallback for users who used the yanked 1.0.0
    release which defaulted to SHA-512. (`#114`_)
-   Add support for fallback algorithms during deserialization to
    support changing the default in the future without breaking existing
    signatures. (`#113`_)
-   Changed capitalization of packages back to lowercase as the change
    in capitalization broke some tooling. (`#113`_)

.. _#113: pallets/itsdangerous#113
.. _#114: pallets/itsdangerous#114

Version 1.0.0

Released 2018-10-18


*Note*: This release was yanked from PyPI because it changed the default
algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains
at SHA1.

-   Drop support for Python 2.6 and 3.3.
-   Refactor code from a single module to a package. Any object in the
    API docs is still importable from the top-level ``itsdangerous``
    name, but other imports will need to be changed. A future release
    will remove many of these compatibility imports. (`#107`_)
-   Optimize how timestamps are serialized and deserialized. (`#13`_)
-   ``base64_decode`` raises ``BadData`` when it is passed invalid data.
-   Ensure value is bytes when signing to avoid a ``TypeError`` on
    Python 3. (`#29`_)
-   Add a ``serializer_kwargs`` argument to ``Serializer``, which is
    passed to ``dumps`` during ``dump_payload``. (`#36`_)
-   More compact JSON dumps for unicode strings. (`#38`_)
-   Use the full timestamp rather than an offset, allowing dates before
    2011. (`#46`_)
-   Detect a ``sep`` character that may show up in the signature itself
    and raise a ``ValueError``. (`#62`_)
-   Use a consistent signature for keyword arguments for
    ``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_)
-   Change default intermediate hash from SHA-1 to SHA-512. (`#80`_)
-   Convert JWS exp header to an int when loading. (`#99`_)

.. _#13: pallets/itsdangerous#13
.. _#27: pallets/itsdangerous#27
.. _#29: pallets/itsdangerous#29
.. _#36: pallets/itsdangerous#36
.. _#38: pallets/itsdangerous#38
.. _#46: pallets/itsdangerous#46
.. _#62: pallets/itsdangerous#62
.. _#74: pallets/itsdangerous#74
.. _#75: pallets/itsdangerous#75
.. _#80: pallets/itsdangerous#80
.. _#99: pallets/itsdangerous#99
.. _#107: pallets/itsdangerous#107
quis added a commit to alphagov/notifications-admin that referenced this issue Feb 19, 2020
Version 1.1.0 has reverted the breaking change (moving from sha1 to
sha256) that was introduced in version 1.0.0.

Upgrading now so that we can take advantage of this bug fix:
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
None yet

Successfully merging a pull request may close this issue.

3 participants