Add workaround for py-vapid cryptography deprecation warning (#793)

50-Course · web-flow · commit 0a07629c91c8 · 2026-02-15T21:19:33.000+01:00
Update WebPush.rst to include alternative VAPID key generation method using ecdsa library directly, addressing compatibility issues with py-vapid and newer cryptography versions. Refs: #781
diff --git a/docs/WebPush.rst b/docs/WebPush.rst
@@ -7,26 +7,70 @@ These are in addition to the instalation steps for django-push-notifications[WP]
 
 Configure the VAPID keys
 ------------------------------
-- Install:
+
+.. note::
+   There is currently a known issue with the ``py-vapid`` library causing deprecation warnings with newer versions of the ``cryptography`` library. While this issue is being resolved upstream (see `py-vapid issue #105 <https://github.com/web-push-libs/vapid/issues/105>`_), we recommend using the alternative method below.
+
+**Recommended Method: Generate keys using standalone script**
+
+This method uses the ``ecdsa`` library directly and avoids the ``py-vapid`` compatibility issue:
+
+- Install the dependency:
+
+.. code-block:: bash
+
+	pip install ecdsa
+
+- Create and run this key generation script (shout-out to `@Tobiaqs <https://gist.github.com/Tobiaqs/450a4516ae44813792b7d84028c366c0>`_ for providing this script):
 
 .. code-block:: python
 
-	pip install py-vapid  (Only for generating key)
+	# vapid_keygen.py
+	import base64
+	import ecdsa
+
+	def generate_vapid_keypair():
+	    """
+	    Generate a new set of encoded key-pair for VAPID
+	    """
+	    pk = ecdsa.SigningKey.generate(curve=ecdsa.NIST256p)
+	    vk = pk.get_verifying_key()
+
+	    return {
+	        'private_key': base64.urlsafe_b64encode(pk.to_string()).strip(b"="),
+	        'public_key': base64.urlsafe_b64encode(b"\x04" + vk.to_string()).strip(b"=")
+	    }
+
+	keys = generate_vapid_keypair()
 
-- Generate public and private keys:
+	print("\nPrivate key (use for WP_PRIVATE_KEY setting):\n")
+	print(keys["private_key"].decode())
+	print("\nPublic key (use as Application Server Key in client JavaScript):\n")
+	print(keys["public_key"].decode())
+	print()
+
+- Run the script:
+
+.. code-block:: bash
+
+	python vapid_keygen.py
+
+The private key output should be used with the setting ``WP_PRIVATE_KEY``.
+The public key will be used in your client side JavaScript as the Application Server Key (see example below).
+
+**Method 2: Using py-vapid (once upstream fix is released)**
+
+Once the upstream issue is resolved, you can use ``py-vapid`` as originally documented:
 
 .. code-block:: bash
 
+	pip install py-vapid
 	vapid --gen
 
 	Generating private_key.pem
 	Generating public_key.pem
 
-
-The private key generated is the file to use with the setting ``WP_PRIVATE_KEY``
-The public key will be used in your client side javascript, but first it must be formated as an Application Server Key
-
-- Generate client public key (applicationServerKey)
+Then format as Application Server Key:
 
 .. code-block:: bash
 
@@ -35,7 +79,6 @@ The public key will be used in your client side javascript, but first it must be
 	Application Server Key = <Your Public Key>
 
 
-
 Client Side logic to ask user for permission and subscribe to WebPush
 ------------------------------
 The example subscribeUser function is best called in response to a user action, such as a button click. Some browsers will deny the request otherwise.
