Sorry for the breakage!

[woodruffw]

Hi there! Your recent failed publish to PyPI (here) set off an alert on PyPI's side, which I've been triaging.

I've isolated the problem down to an overly conservative assumption in how PyPI verifies uploaded attestations, and I'm working on a fix now. I'll update this issue with xrefs as I build out the fix.

TL;DR: Your publishing workflow produced a perfectly valid attestation, but one that didn't include a ref claim for whatever reason. We've seen this happen before with Trusted Publishing as well as we have workarounds for it, but the workaround wasn't complete for the attestation side of things.

Apologies for any confusion this caused on your end!

xref: tlog entry: https://search.sigstore.dev/?logIndex=191974551

Yak stack:

• bugfix: impl: require at least one of the source ref/sha extensions pypi/pypi-attestations#109
• requirements: bump pypi-attestations to 0.0.23 pypi/warehouse#17913

[kyleaoman]

@woodruffw thanks for illuminating what was going on! Eventully figured out that it was something to do with attestations and that they were still experimental, so switched them off for the moment. The error message was a bit cryptic, maybe mention there that this is an experimental feature and link to docs or hint at how to temporarily disable? My first reaction was "what's an attestation" and it took a few tries to land on a useful documentation page.

[woodruffw]

The error message was a bit cryptic, maybe mention there that this is an experimental feature and link to docs or hint at how to temporarily disable?

Yeah, adding a documentation link to our error here would be really good. Unfortunately in this case the error message was a bare spitout of an exception in PyPI's backend, but I'll be adding controls for that as well.

[woodruffw]

Update: the fix on PyPI's side has landed, and should be live momentarily. So, you shouldn't experience any more issues with attestations here!

(The error message is still non-ideal; I'll be looking into that separately.)