URGENT -- fix: Add lxml 6.x compatibility for XML signature namespace handling #444
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Reparse XML after signing to ensure namespaces are correctly associated
with elements (required for lxml 6.x when using default namespace)
- Update dependency constraints to allow lxml >=5.4.0 and signxml >=4.1.0
- Fix certificate test to use platform-independent temp directory
lxml 6.0 changed how elements with default namespaces (xmlns without prefix)
are handled internally. Elements created with nsmap={None: "..."} no longer
have the namespace in their tag property, causing XPath queries with
namespace prefixes to fail.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
felps-dev
requested review from
Copilot,
juniortada,
leogregianin and
leotada
felps-dev
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds compatibility with lxml 6.x, which introduced a breaking change in how default namespaces are handled internally. When signxml creates signature elements with a default namespace, lxml 6.x no longer associates the namespace with the element's internal tag property, causing XPath queries to fail despite correct xmlns declarations in the serialized XML.
Changes:
- Added a reparse step after XML signing to ensure namespaces are correctly associated with elements for lxml 6.x compatibility
- Updated dependency constraints to allow lxml >=5.4.0 and signxml >=4.1.0 (removing upper bounds)
- Fixed certificate test to use cross-platform temp directory instead of hardcoded
/tmp/
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pynfe/processamento/assinatura.py | Added serialize-reparse workaround after signing to fix lxml 6.x namespace handling; reuses serialized string efficiently |
| pyproject.toml | Updated lxml and signxml to use minimum version constraints without upper bounds |
| requirements.txt | Added minimum version constraints for all dependencies (requests, lxml, signxml, cryptography) |
| tests/test_certificadoA1.py | Fixed test to use platform-independent tempfile.gettempdir() instead of hardcoded /tmp/ |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
juniortada
previously approved these changes
Feb 4, 2026
leogregianin
previously approved these changes
Feb 4, 2026
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
felps-dev
dismissed stale reviews from leogregianin and juniortada
via
4fd6e62
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
juniortada
approved these changes
Feb 5, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds compatibility with lxml 6.x which introduced a breaking change in how default namespaces are handled internally.
The Problem
When
signxmlcreates signature elements using a default namespace (nsmap={None: "http://www.w3.org/2000/09/xmldsig#"}), lxml 6.x no longer associates the namespace with the element's internaltagproperty. This causes XPath queries with namespace prefixes to fail, even though the serialized XML contains the correctxmlns=declaration.tagproperty{http://...}SignatureSignatureThe Fix
xmlns=declarationslxml >=5.4.0andsignxml >=4.1.0(removes upper bounds)tempfile.gettempdir()instead of hardcoded/tmp/for cross-platform compatibility (macOS uses/var/folders/...)Changes
pynfe/processamento/assinatura.py- Add reparse step after signingpyproject.toml- Update lxml and signxml version constraintsrequirements.txt- Pin minimum versions for all dependenciestests/test_certificadoA1.py- Use platform-independent temp directoryTesting
All 134 tests pass with:
References