Refs #27468 -- Removed support for the pre-Django 3.1 signatures in Signer and signing.dumps()/loads().

Per deprecation timeline.

django/core/signing.py

@@ -120,9 +120,6 @@ def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, ma
 
 
 class Signer:
-    # RemovedInDjango40Warning.
-    legacy_algorithm = 'sha1'
-
     def __init__(self, key=None, sep=':', salt=None, algorithm=None):
         self.key = key or settings.SECRET_KEY
         self.sep = sep
@@ -139,10 +136,6 @@ class Signer:
     def signature(self, value):
         return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.algorithm)
 
-    def _legacy_signature(self, value):
-        # RemovedInDjango40Warning.
-        return base64_hmac(self.salt + 'signer', value, self.key, algorithm=self.legacy_algorithm)
-
     def sign(self, value):
         return '%s%s%s' % (value, self.sep, self.signature(value))
 
@@ -150,12 +143,7 @@ class Signer:
         if self.sep not in signed_value:
             raise BadSignature('No "%s" found in value' % self.sep)
         value, sig = signed_value.rsplit(self.sep, 1)
-        if (
-            constant_time_compare(sig, self.signature(value)) or (
-                self.legacy_algorithm and
-                constant_time_compare(sig, self._legacy_signature(value))
-            )
-        ):
+        if constant_time_compare(sig, self.signature(value)):
             return value
         raise BadSignature('Signature "%s" does not match' % sig)
 

docs/releases/4.0.txt

@@ -285,3 +285,10 @@ to remove usage of these features.
   use the SHA-1 hashing algorithm) is removed.
 
 * Support for the pre-Django 3.1 encoding format of sessions is removed.
+
+* Support for the pre-Django 3.1 ``django.core.signing.Signer`` signatures
+  (encoded with the SHA-1 algorithm) is removed.
+
+* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
+  (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
+  removed.

tests/signing/tests.py

@@ -67,14 +67,6 @@ class TestSigner(SimpleTestCase):
         with self.assertRaisesMessage(InvalidAlgorithm, msg):
             signer.sign('hello')
 
-    def test_legacy_signature(self):
-        # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
-        # supported.
-        signer = signing.Signer()
-        sha1_sig = 'foo:l-EMM5FtewpcHMbKFeQodt3X9z8'
-        self.assertNotEqual(signer.sign('foo'), sha1_sig)
-        self.assertEqual(signer.unsign(sha1_sig), 'foo')
-
     def test_sign_unsign(self):
         "sign/unsign should be reversible"
         signer = signing.Signer('predictable-secret')
@@ -151,20 +143,12 @@ class TestSigner(SimpleTestCase):
             self.assertNotEqual(o, signing.dumps(o, compress=True))
             self.assertEqual(o, signing.loads(signing.dumps(o, compress=True)))
 
-    def test_dumps_loads_legacy_signature(self):
-        # RemovedInDjango40Warning: pre-Django 3.1 signatures won't be
-        # supported.
-        value = 'a string \u2020'
-        # SHA-1 signed value.
-        signed = 'ImEgc3RyaW5nIFx1MjAyMCI:1k1beT:ZfNhN1kdws7KosUleOvuYroPHEc'
-        self.assertEqual(signing.loads(signed), value)
-
     @ignore_warnings(category=RemovedInDjango40Warning)
     def test_dumps_loads_default_hashing_algorithm_sha1(self):
         value = 'a string \u2020'
         with self.settings(DEFAULT_HASHING_ALGORITHM='sha1'):
             signed = signing.dumps(value)
-        self.assertEqual(signing.loads(signed), value)
+            self.assertEqual(signing.loads(signed), value)
 
     def test_decode_detects_tampering(self):
         "loads should raise exception for tampered objects"