Bump signify from 0.3.0 to 0.9.2 in /build/python/backend

[dependabot]

Bumps signify from 0.3.0 to 0.9.2.

Changelog

Sourced from signify's changelog.

v0.9.2 (2025-12-31)

• Fix issue with incorrect page size assumptions leading to incorrectly reported errors on page hashes.
• Fixed checking of keyUsage extension. Previous (incorrect) behaviour can be restored by passing strict_validation=False to AuthenticodeSignature.verify.
• Added AuthenticodeFile.iter_indirect_data as an easy interface for inspection of signature data.

v0.9.1 (2025-10-07)

• Resolve packaging issue with legacy certificates not being included

v0.9.0 (2025-10-07)

• Added support for verifying catalog (.cat) files and CTL (.stl) files.

• Added support for validation using external catalog files containing (additional) signatures.

• Added support for verifying flat images (i.e. non-Authenticode files) using these external signatures.

• Added entrypoint (CLI script) for displaying various details about Authenticode files.

• Added support binaries signed with legacy root certificates trusted in Windows.

• Added AuthenticodeFile.iter_signatures and .signatures to iterate over all available signatures (embedded and catalogs). You can specify which of these signature types to use for validation in .validate.

• Added AuthenticodeFile.verify_signature to check a signature (embedded or catalog). Use this instead of signature.verify.

• Renamed AuthenticodeSignedData to AuthenticodeSignature.

• Renamed AuthenticodeFile.iter_signed_datas and .signed_datas to AuthenticodeFile.iter_embedded_signatures and .embedded_signatures, respectively.

• Renamed AuthenticodeFile.detect to AuthenticodeFile.from_stream

• Moved validation of a signature's IndirectData to AuthenticodeFile.verify_indirect_data, although AuthenticodeSignedData retains its capabilities if expected_hash is provided and signed_file is unavailable.

• Move concrete implementations of file types to a separate module with dynamic detection, and remove various concrete implementations as imports from signify.authenticode.

• Moved various structures out of signify.authenticode.structures and direct imports out of signify.authenticode to prevent circular imports. These are now split across multiple files. While doing so, some other files were renamed as well.

• Add support for unsigned SignedData objects.

• Changed calculated property SignedData.content_digest to a method SignedData.get_content_digest

• Improved parsing of CertificateTrustList attributes.

• Added CombinedCertificateStore with the ability to combine multiple certificate stores (use CertificateStore() | CertificateStore())

• Added the ability to use dicts as ctl argument for CertificateStore, allowing limited use of extended key usages for certain certificates.

... (truncated)

Commits

• 023ef30 Release as 0.9.2
• 66b2a9a Check key usage when present, refs #60
• b127439 Add AuthenticodeFile.iter_indirect_data
• 25e7046 Fix incorrect assumption for page sizes, fixes #58
• b573efc Refactor creation of verification contexts in SignedData.verify
• bb096df Fix packaging issue, release 0.9.1
• b3fdaa2 Release v0.9.0
• 54ee994 Do not update CombinedCertificateStore when using or
• be084cb Add information about cryptsvc and catdb to docs
• b182707 Update changelog
• Additional commits viewable in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​signify@​0.3.0 ⏵ 0.9.1	+2

View full report

[mattbing]

Built a test image, signify is only used by ScanPe which is disabled