v1.0.0 cannot load strings signed by v0.24

[leohemsted]

Testing with python 3.5.2.

I've got some strings that were serialised with v0.24. After upgrading, those strings are no longer able to be deserialised. (I've also tried this with Serializer, same outcome).

$ pip freeze | grep -i itsdangerous
itsdangerous==0.24
$ python -c "import itsdangerous; print(itsdangerous.URLSafeSerializer('secret-key').dumps('hello', salt='salt'))"
ImhlbGxvIg.IsTgRVmz0Tp1EYVQx7VJSY7R--M
$ pip install itsdangerous==1.0.0
python -c "import itsdangerous; print(itsdangerous.URLSafeSerializer('secret-key').loads('ImhlbGxvIg.IsTgRVmz0Tp1EYVQx7VJSY7R--M', salt='salt'))"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/Users/me/.virtualenvs/test/lib/python3.5/site-packages/itsdangerous/serializer.py", line 131, in loads
    return self.load_payload(self.make_signer(salt).unsign(s))
  File "/Users/me/.virtualenvs/test/lib/python3.5/site-packages/itsdangerous/signer.py", line 175, in unsign
    raise BadSignature("Signature %r does not match" % sig, payload=value)
itsdangerous.exc.BadSignature: Signature b'IsTgRVmz0Tp1EYVQx7VJSY7R--M' does not match

[leohemsted]

Ah, this is due to the change of default digest method from sha1 to sha512. Can pass in signer_kwargs={'digest_method': hashlib.sha1} to the __init__ while we migrate.

[davidism]

Yeah, you'll need to support that migration in your code. You can upgrade tokens by trying the new signer, then trying the old signer if it fails.

[davidism]

#111, #112

[davidism]

itsdangerous 1.1.0 has been released. It reverts to SHA-1, and adds a fallback mechanism to safely upgrade signing parameters in the future. It also reverts the package name to all lowercase "itsdangerous".

You can read a longer explanation here: https://palletsprojects.com/blog/itsdangerous-1-1-0-released/