gh-137134: Update SQLite to 3.50.4 for binary releases

Android/android.py

@@ -187,7 +187,7 @@ def unpack_deps(host, prefix_dir):
     os.chdir(prefix_dir)
     deps_url = "https://github.com/beeware/cpython-android-source-deps/releases/download"
     for name_ver in ["bzip2-1.0.8-3", "libffi-3.4.4-3", "openssl-3.0.15-4",
-                     "sqlite-3.49.1-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
+                     "sqlite-3.50.3-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
         filename = f"{name_ver}-{host}.tar.gz"
         download(f"{deps_url}/{name_ver}/{filename}")
         shutil.unpack_archive(filename)

Mac/BuildScript/build-installer.py

@@ -37,6 +37,7 @@
 Usage: see USAGE variable in the script.
 """
 import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp
+import hashlib
 try:
     import urllib2 as urllib_request
 except ImportError:
@@ -359,9 +360,9 @@ def library_recipes():
                   ),
           ),
           dict(
-              name="SQLite 3.49.1",
-              url="https://sqlite.org/2025/sqlite-autoconf-3490100.tar.gz",
-              checksum="106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254",
+              name="SQLite 3.50.3",
+              url="https://www.sqlite.org/2025/sqlite-autoconf-3500300.tar.gz",
+              checksum="sha3-256:c3df1542703a666d3f41bb623e9bed7d6e1dc81c57f0c45e3122403f862c520d",
               extra_cflags=('-Os '
                             '-DSQLITE_ENABLE_FTS5 '
                             '-DSQLITE_ENABLE_FTS4 '
@@ -795,7 +796,7 @@ def downloadURL(url, fname):
 def verifyThirdPartyFile(url, checksum, fname):
     """
     Download file from url to filename fname if it does not already exist.
-    Abort if file contents does not match supplied md5 checksum.
+    Abort if file contents does not match supplied hashlib checksum.
     """
     name = os.path.basename(fname)
     if os.path.exists(fname):
@@ -805,16 +806,30 @@ def verifyThirdPartyFile(url, checksum, fname):
         print("Downloading %s"%(name,))
         downloadURL(url, fname)
         print("Archive for %s stored as %s"%(name, fname))
-    if len(checksum) == 32:
+    if ':' in checksum:
+        algo, _, checksum = checksum.partition(':')
+        assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead."
+        if algo in ("md5", "sha1"):
+            raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.")
+        if algo.startswith(("shake", "blake")):
+            raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}")
+    # TODO remove length based logic AND legacy md5s after updating the ones we already list.
+    elif len(checksum) == 32:
         algo = 'md5'
+        print("WARNING: insecure md5 used for {fname}", file=sys.stderr)
     elif len(checksum) == 64:
         algo = 'sha256'
     else:
         raise ValueError(checksum)
-    if os.system(
-            'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"'
-                % (algo, shellQuote(fname), checksum) ):
-        fatal('%s checksum mismatch for file %s' % (algo, fname))
+    with open(fname, 'rb') as downloaded_file:
+        if hasattr(hashlib, 'file_digest'):
+            hasher = hashlib.file_digest(downloaded_file, algo)  # 3.11+
+        else:
+            hasher = hashlib.new(algo, downloaded_file.read())
+        computed_checksum = hasher.hexdigest()
+        if computed_checksum != checksum:
+            fatal(f"{algo} hashlib checksum mismatch for file {fname}")
+
 
 def build_universal_openssl(basedir, archList):
     """

Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst

@@ -0,0 +1 @@
+Update Windows installer to ship with SQLite 3.50.3.

Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst

@@ -0,0 +1 @@
+Update macOS installer to ship SQLite version 3.50.3.

Misc/externals.spdx.json

@@ -91,21 +91,21 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2"
+          "checksumValue": "b1c4b2bf9be3923aea18da433a1c479fcc30b4905e4e1c7c30f069387dc7ea9c"
         }
       ],
-      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.49.1.0.tar.gz",
+      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.3.0.tar.gz",
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.49.1.0:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.3.0:*:*:*:*:*:*:*",
           "referenceType": "cpe23Type"
         }
       ],
       "licenseConcluded": "NOASSERTION",
       "name": "sqlite",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "3.49.1.0"
+      "versionInfo": "3.50.3.0"
     },
     {
       "SPDXID": "SPDXRef-PACKAGE-tcl-core",
@@ -214,4 +214,4 @@
     }
   ],
   "spdxVersion": "SPDX-2.3"
-}
+}

PCbuild/get_externals.bat

@@ -56,7 +56,7 @@ set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.4.4
 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-3.0.16
 set libraries=%libraries%                                       mpdecimal-4.0.0
-set libraries=%libraries%                                       sqlite-3.49.1.0
+set libraries=%libraries%                                       sqlite-3.50.3.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.15.0
 set libraries=%libraries%                                       xz-5.2.5

PCbuild/python.props

@@ -74,7 +74,7 @@
   <Import Project="$(ExternalProps)" Condition="$(ExternalProps) != '' and Exists('$(ExternalProps)')" />
 
   <PropertyGroup>
-    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.49.1.0\</sqlite3Dir>
+    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.50.3.0\</sqlite3Dir>
     <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
     <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.5\</lzmaDir>
     <libffiDir Condition="$(libffiDir) == ''">$(ExternalsDir)libffi-3.4.4\</libffiDir>

PCbuild/readme.txt

@@ -237,7 +237,7 @@ _ssl
     again when building.
 
 _sqlite3
-    Wraps SQLite 3.49.1, which is itself built by sqlite3.vcxproj
+    Wraps SQLite 3.50.3, which is itself built by sqlite3.vcxproj
     Homepage:
         https://www.sqlite.org/