Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to debug bad upload tokens? #17182

Open
dimaqq opened this issue Nov 28, 2024 · 6 comments
Open

How to debug bad upload tokens? #17182

dimaqq opened this issue Nov 28, 2024 · 6 comments
Labels
requires triaging maintainers need to do initial inspection of issue

Comments

@dimaqq
Copy link

dimaqq commented Nov 28, 2024

When I twine upload --verbose dist/*, all I see is:

INFO     Response from https://upload.pypi.org/legacy/:
         403 Invalid API Token: signatures do not match
INFO     <html>
          <head>
           <title>403 Invalid API Token: signatures do not match</title>
          </head>
          <body>
           <h1>403 Invalid API Token: signatures do not match</h1>
           Access was denied to this resource.<br/><br/>
         Invalid API Token: signatures do not match


          </body>
         </html>
ERROR    HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/
         Invalid API Token: signatures do not match

Now I think I used this very token some time before and it works, but ofc., how can I be sure now?

@dimaqq dimaqq added the requires triaging maintainers need to do initial inspection of issue label Nov 28, 2024
@di
Copy link
Member

di commented Dec 2, 2024

Is it possible that you're using an API token from TestPyPI for PyPI or vice versa?

If you can email the token to [email protected], we can further help with debugging. Don't post it publicly here or elsewhere.

@dimaqq
Copy link
Author

dimaqq commented Dec 3, 2024

I have a theory about what happened.
The token is longer than one line in an ephemeral terminal window.
I suspect that copy-pasting the token injected a newline or maybe a trailing space and twine misread or missent the token.

I've since generated new token and am more careful, and things work.

I kinda wish there was more... just more visibility, like JWTs can be inspected with tools; maybe if the token appears truncated or is simply the wrong length, maybe that cloud be detected?

@di
Copy link
Member

di commented Dec 3, 2024

I have a theory about what happened.
The token is longer than one line in an ephemeral terminal window.
I suspect that copy-pasting the token injected a newline or maybe a trailing space and twine misread or missent the token.

It's possible! Hard to say without being able to see the token, however.

I kinda wish there was more... just more visibility, like JWTs can be inspected with tools; maybe if the token appears truncated or is simply the wrong length, maybe that cloud be detected?

We're actually getting a lot of visibility here: it's telling us that the signature that is included inside the token is invalid. This could be from a number of things: missing or malformed characters, or a missused token. Unfortunately the tokens don't have a fixed size so simply checking the length is not possible.

@woodruffw
Copy link
Member

On top of what @di said: PyPI's API tokens are Macaroons, so you can parse them locally and extract their "caveats" (roughly analogous to JWT claims). I don't know of a super nice one-off tool that'll do this for you, though, since each Macaroon implementation chooses its own caveat layout (e.g. PyPI uses a packed encoding, but others might use JSON or CBOR or something else).

@di
Copy link
Member

di commented Dec 3, 2024

This should be possible with https://pypi.org/project/pypitoken/ I think?

@woodruffw
Copy link
Member

This should be possible with pypi.org/project/pypitoken I think?

Ah yep, forgot about that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
requires triaging maintainers need to do initial inspection of issue
Projects
None yet
Development

No branches or pull requests

3 participants