fix: pin pkcs8 to 0.11.0-rc.11 to unblock bundle CI#148
Merged
zachsmith1 merged 1 commit intomainfrom Apr 27, 2026
Merged
Conversation
pkcs8 0.11.0-rc.12 (released 2026-04-27) changed Error::KeyMalformed from a unit variant to a tuple variant KeyMalformed(KeyError). Both ed25519 3.0.0-rc.4 and ed25519-dalek 3.0.0-pre.1 — pulled in transitively via iroh — still use it as a unit variant, so the build fails to compile against rc.12. Bundle CI runs `cargo generate-lockfile` before each build, which discards the committed lock and re-resolves to the latest matching prerelease. The pin must therefore live in the manifest. `=0.11.0-rc.11` intersects with ed25519's `^0.11.0-rc.10` requirement to lock the working version. Remove once iroh upgrades to an ed25519/dalek release that targets pkcs8 rc.12+.
scotwells
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Error::KeyMalformeda tuple variant carryingKeyError. Bothed25519 3.0.0-rc.4anded25519-dalek 3.0.0-pre.1— pulled in transitively viairoh*— still use it as a unit variant, so the build fails with?couldn't convert the error to pkcs8::Error ined25519/src/pkcs8.rsanded25519-dalek/src/signing.rs.cargo generate-lockfileon all three platforms beforedx bundle --locked, which discards the committed lock and re-resolves to the latest matching prerelease. The pin must live in the manifest, not justCargo.lock.pkcs8 = "=0.11.0-rc.11"inlib/Cargo.tomlintersects withed25519's^0.11.0-rc.10requirement and locks the last known-working version.Why not
[patch.crates-io]to a fixed ed25519?Upstream pushed a fix in RustCrypto/signatures
d8b1875athat targets pkcs8 rc.12, but the matchinged25519-dalekchange isn't in dalek's tree yet — patching onlyed25519leaves dalek'ssigning.rsbroken. A version pin is the smallest stable workaround until both crates publish releases compatible with rc.12.Follow-up
The deeper issue is
cargo generate-lockfileinbundle.yml— it undermines lockfile reproducibility and lets prerelease churn upstream break the build at any time. Worth replacing with a surgical workspace-only lock sync in a follow-up PR.Test plan
cargo check --workspace --lockedpasses locallyCargo.lockresolvespkcs8to0.11.0-rc.11