fixup! cli: Support friendlier syntax for verify pypi command

Author: facutuesca

CHANGELOG.md

@@ -12,10 +12,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - The CLI subcommand `verify attestation` now supports `.slsa.attestation`
   files. When verifying an artifact, both `.publish.attestation` and
   `.slsa.attestation` files are used (if present).
-- The CLI subcommand `verify attestation` now supports a friendlier
+- The CLI subcommand `verify pypi` now supports a friendlier
   syntax to specify the artifact to verify. The artifact can now be
-  specified as `$PKG_NAME/$FILE_NAME`, e.g: 
-  `sampleproject/sampleproject-1.0.0.tar.gz`. The old way (passing
+  specified with a `pypi:` prefix followed by the filename, e.g:
+  `pypi:sampleproject-1.0.0.tar.gz`. The old way (passing
   the direct URL) is still supported.
 
 ## [0.0.21]

README.md

@@ -142,12 +142,12 @@ pypi-attestations verify attestation  \
 
 ### Verifying a PyPI package
 > [!NOTE]
-> The package to verify can be passed either as $PKG_NAME/$FILE_NAME (e.g:
-> 'sampleproject/sampleproject-1.0.0-py3-none-any.whl'), or as a direct URL
+> The package to verify can be passed either as a `pypi:` prefixed filename (e.g:
+> 'pypi:sampleproject-1.0.0-py3-none-any.whl'), or as a direct URL
 > to the artifact hosted by PyPI.
 ```bash
 pypi-attestations verify pypi --repository https://github.com/sigstore/sigstore-python \
-  sigstore/sigstore-3.6.1-py3-none-any.whl
+  pypi:sigstore-3.6.1-py3-none-any.whl
 
 # or alternatively:
 pypi-attestations verify pypi --repository https://github.com/sigstore/sigstore-python \

src/pypi_attestations/_cli.py

@@ -139,9 +139,8 @@ def _parser() -> argparse.ArgumentParser:
         "distribution_file",
         metavar="PYPI_FILE",
         type=str,
-        help="PyPI file to verify formatted as $PKG_NAME/$FILE_NAME, e.g: "
-        "sampleproject/sampleproject-1.0.0.tar.gz. Direct URLs to the hosted file are also "
-        "supported.",
+        help="PyPI file to verify, can be either: (1) pypi:$FILE_NAME (e.g. "
+        "pypi:sampleproject-1.0.0.tar.gz) or (2) A direct URL to files.pythonhosted.org",
     )
 
     verify_pypi_command.add_argument(
@@ -237,14 +236,23 @@ def _download_file(url: str, dest: Path) -> None:
 def _get_direct_url_from_arg(arg: str) -> URIReference:
     """Parse the artifact argument for the `verify pypi` subcommand.
 
-    The argument can be either a direct URL to a PyPI-hosted artifact,
-    or a friendly-formatted alternative: '$PKG_NAME/$FILE_NAME'.
+    The argument can be:
+    - A pypi: prefixed filename (e.g. pypi:sampleproject-1.0.0.tar.gz)
+    - A direct URL to a PyPI-hosted artifact
     """
     direct_url = None
-    components = arg.split("/")
-    # We support passing the file argument as $PKG_NAME/$FILE_NAME
-    if len(components) == 2:
-        pkg_name, file_name = components
+
+    if arg.startswith("pypi:"):
+        file_name = arg[5:]
+        try:
+            if file_name.endswith(".tar.gz") or file_name.endswith(".zip"):
+                pkg_name, _ = parse_sdist_filename(file_name)
+            elif file_name.endswith(".whl"):
+                pkg_name, _, _, _ = parse_wheel_filename(file_name)
+            else:
+                _die("File should be a wheel (*.whl) or a source distribution (*.zip or *.tar.gz)")
+        except (InvalidSdistFilename, InvalidWheelFilename) as e:
+            _die(f"Invalid distribution filename: {e}")
 
         provenance_url = f"https://pypi.org/simple/{pkg_name}"
         response = requests.get(
@@ -261,7 +269,7 @@ def _get_direct_url_from_arg(arg: str) -> URIReference:
                 direct_url = file_json.get("url", "")
                 break
         if not direct_url:
-            _die(f"Could not find the artifact '{file_name}' for '{pkg_name}'")
+            _die(f"Could not find the artifact '{file_name}' on PyPI")
     else:
         direct_url = arg
 

test/test_cli.py

@@ -373,8 +373,8 @@ def test_validate_files(tmp_path: Path, caplog: pytest.LogCaptureFixture) -> Non
     [
         (pypi_wheel_url, pypi_wheel_filename),
         (pypi_sdist_url, pypi_sdist_filename),
-        (pypi_wheel_abbrev, pypi_wheel_filename),
-        (pypi_sdist_abbrev, pypi_sdist_filename),
+        (f"pypi:{pypi_wheel_filename}", pypi_wheel_filename),
+        (f"pypi:{pypi_sdist_filename}", pypi_sdist_filename),
     ],
 )
 def test_verify_pypi_command(
@@ -468,7 +468,7 @@ def test_verify_pypi_invalid_url(
     assert "Unsupported/invalid URL" in caplog.text
 
 
-def test_verify_pypi_invalid_file_name(
+def test_verify_pypi_invalid_file_name_url(
     caplog: pytest.LogCaptureFixture, monkeypatch: pytest.MonkeyPatch
 ) -> None:
     # Failure because file is neither a wheer nor a sdist
@@ -503,6 +503,41 @@ def test_verify_pypi_invalid_file_name(
     assert "Invalid wheel filename" in caplog.text
 
 
+def test_verify_pypi_invalid_sdist_filename_pypi(
+    caplog: pytest.LogCaptureFixture, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    # Failure because file is neither a wheer nor a sdist
+    monkeypatch.setattr(pypi_attestations._cli, "_download_file", lambda url, dest: None)
+    with pytest.raises(SystemExit):
+        run_main_with_command(
+            [
+                "verify",
+                "pypi",
+                "--repository",
+                "https://github.com/sigstore/sigstore-python",
+                f"pypi:{pypi_wheel_filename}.invalid_ext",
+            ]
+        )
+    assert (
+        "File should be a wheel (*.whl) or a source distribution (*.zip or *.tar.gz)" in caplog.text
+    )
+
+    caplog.clear()
+
+    """Test that invalid sdist filenames are properly handled."""
+    with pytest.raises(SystemExit):
+        run_main_with_command(
+            [
+                "verify",
+                "pypi",
+                "--repository",
+                "https://github.com/sigstore/sigstore-python",
+                "pypi:invalid-sdist-name.tar.gz",  # Invalid sdist filename format
+            ]
+        )
+    assert "Invalid distribution filename:" in caplog.text
+
+
 @online
 def test_verify_pypi_validation_fails(
     caplog: pytest.LogCaptureFixture, monkeypatch: pytest.MonkeyPatch
@@ -575,10 +610,10 @@ def test_verify_pypi_error_finding_package_info(
                 "pypi",
                 "--repository",
                 "https://github.com/sigstore/sigstore-python",
-                "somepkg/somefile",
+                "pypi:somefile-1.0.0.tar.gz",
             ]
         )
-    assert "Error trying to get information for 'somepkg' from PyPI: myerror" in caplog.text
+    assert "Error trying to get information for 'somefile' from PyPI: myerror" in caplog.text
 
 
 def test_verify_pypi_error_finding_artifact_url(
@@ -594,10 +629,10 @@ def test_verify_pypi_error_finding_artifact_url(
                 "pypi",
                 "--repository",
                 "https://github.com/sigstore/sigstore-python",
-                "somepkg/somefile",
+                "pypi:somefile-1.0.0.tar.gz",
             ]
         )
-    assert "Could not find the artifact 'somefile' for 'somepkg'" in caplog.text
+    assert "Could not find the artifact 'somefile-1.0.0.tar.gz' on PyPI" in caplog.text
 
 
 def test_verify_pypi_error_validating_provenance(