Attestation error: "Verification failed: subject does not match distribution name"

[arahlin]

I'm getting an error about invalid attestations trying to publish my project to PyPI. I use a pretty typical workflow: cibuildwheel to create wheels, and upload-artifact/download-artifact actions to collect all the wheels into one directory for this pypi upload action.

It looks like something is mangling a wheel name in the attestation subject in the process, as the upload fails on one of the wheels with this error:

Uploading spt3g-1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
WARNING  Error during upload. Retry with the --verbose option for more details. 
ERROR    HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/        
         Invalid attestations supplied during upload: Could not verify the      
         uploaded artifact using the included attestation: Verification failed: 
         subject does not match distribution name:                              
         spt3g-1.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl !=
         spt3g-1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl   

This is my workflow, and this is the failed action run.

I've disabled attestations for now, but am reporting this so that it can be resolved for future releases.

[webknjaz]

@woodruffw has anything changed in PyPI regarding sorting the wheel tags?

@bdraco just pointed me at the same problem roughly 20 minutes ago: https://github.com/aio-libs/frozenlist/actions/runs/15404234130/job/43344457100#step:9:823.

I haven't noticed any obvious changes in Warehouse that would be related. Although... could it be the recent deps bump?

[webknjaz]

Could pypi/warehouse#18140 be at fault? (though pypi/warehouse#18220)

[webknjaz]

It's actually bumped in #359 too but isn't yet released.

I imagine cutting a new release might solve it.

As a workaround, it should be possible to pin to the last commit or the unstable branch.

[arahlin]

Following a few links down through #359, I think pypa/auditwheel#583 might be the actual culprit, so presumably a new auditwheel release (or perhaps an update to cibuildwheel) would also solve this.

[webknjaz]

Ouch.. Though, this would mean that PyPI also sorts them but differently, maybe?

cc @di @henryiii for visibility

[woodruffw]

Thanks for the ping. That Warehouse PR seems like the likely culprit, although I don't understand the "why" of it yet -- that bump should make wheel tag comparisons more permissive, not less. I'll be able to diagnose more when I'm in front of a computer.

[webknjaz]

@woodruffw would it matter that I haven't yet tagged the action with the bumped dep?

[henryiii]

We had to adapt for this in cibuildwheel's test suite in pypa/cibuildwheel#2426. It's an auditwheel change. Comparisons in theory should be done using packaging's normalized name tuple. Order doesn't matter in the spec.

These will suddenly become a lot more common when we release cibuildwheel 3.0 (very soon).

[webknjaz]

Thanks for another data point! I'll wait for the discussion here overnight and get back to this tomorrow.