How to debug bad upload tokens?

[dimaqq]

When I twine upload --verbose dist/*, all I see is:

INFO     Response from https://upload.pypi.org/legacy/:
         403 Invalid API Token: signatures do not match
INFO     <html>
          <head>
           <title>403 Invalid API Token: signatures do not match</title>
          </head>
          <body>
           <h1>403 Invalid API Token: signatures do not match</h1>
           Access was denied to this resource.<br/><br/>
         Invalid API Token: signatures do not match


          </body>
         </html>
ERROR    HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/
         Invalid API Token: signatures do not match

Now I think I used this very token some time before and it works, but ofc., how can I be sure now?

[di]

Is it possible that you're using an API token from TestPyPI for PyPI or vice versa?

If you can email the token to admin@pypi.org, we can further help with debugging. Don't post it publicly here or elsewhere.

[dimaqq]

I have a theory about what happened.
The token is longer than one line in an ephemeral terminal window.
I suspect that copy-pasting the token injected a newline or maybe a trailing space and twine misread or missent the token.

I've since generated new token and am more careful, and things work.

I kinda wish there was more... just more visibility, like JWTs can be inspected with tools; maybe if the token appears truncated or is simply the wrong length, maybe that cloud be detected?

[di]

I have a theory about what happened.
The token is longer than one line in an ephemeral terminal window.
I suspect that copy-pasting the token injected a newline or maybe a trailing space and twine misread or missent the token.

It's possible! Hard to say without being able to see the token, however.

I kinda wish there was more... just more visibility, like JWTs can be inspected with tools; maybe if the token appears truncated or is simply the wrong length, maybe that cloud be detected?

We're actually getting a lot of visibility here: it's telling us that the signature that is included inside the token is invalid. This could be from a number of things: missing or malformed characters, or a missused token. Unfortunately the tokens don't have a fixed size so simply checking the length is not possible.

[woodruffw]

On top of what @di said: PyPI's API tokens are Macaroons, so you can parse them locally and extract their "caveats" (roughly analogous to JWT claims). I don't know of a super nice one-off tool that'll do this for you, though, since each Macaroon implementation chooses its own caveat layout (e.g. PyPI uses a packed encoding, but others might use JSON or CBOR or something else).

[di]

This should be possible with https://pypi.org/project/pypitoken/ I think?

[woodruffw]

This should be possible with pypi.org/project/pypitoken I think?

Ah yep, forgot about that!