Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

publish fails with 403 Client Error: Invalid or non-existent authentication information #1333

Closed
1 task done
lofidevops opened this issue Aug 21, 2022 · 3 comments · Fixed by #1430
Closed
1 task done

publish fails with 403 Client Error: Invalid or non-existent authentication information #1333

lofidevops opened this issue Aug 21, 2022 · 3 comments · Fixed by #1430
Labels
🐛 bug Something isn't working

Comments

@lofidevops
Copy link

  • I have searched the issue tracker and believe that this is not a duplicate.

Make sure you run commands with -v flag before pasting the output.

Steps to reproduce

  • Create a pdm package
  • Do not store PyPI credentials in pyproject.toml
  • Run pdm publish

Actual behavior

$ pdm publish -v
Building sdist...
pdm.termui: Preparing isolated env for PEP 517 build...
pdm.termui: Using pip 22.2.2 from /home/user/Documents/workbench/mymodule/.venv/lib/python3.10/site-packages/pip (python 3.10)
pdm.termui: Collecting pdm-pep517>=1.0.0
pdm.termui:   Using cached pdm_pep517-1.0.4-py3-none-any.whl (305 kB)
pdm.termui: Installing collected packages: pdm-pep517
pdm.termui: Successfully installed pdm-pep517-1.0.4
pdm.termui:  - Adding LICENSES/GPL-3.0-or-later.txt
pdm.termui:  - Adding LICENSES/MIT.txt
pdm.termui:  - Adding README.md
pdm.termui:  - Adding pyproject.toml
pdm.termui:  - Adding mymodule_resource/WORKFLOW.md
pdm.termui:  - Adding mymodule_resource/__init__.py
pdm.termui:  - Adding mymodule_resource/pre-commit
pdm.termui:  - Adding PKG-INFO
Built sdist at /home/user/Documents/workbench/mymodule/dist/mymodule-0.1.0.tar.gz
Building wheel...
pdm.termui: Preparing isolated env for PEP 517 build...
pdm.termui:  - Adding mymodule_resource/WORKFLOW.md
pdm.termui:  - Adding mymodule_resource/__init__.py
pdm.termui:  - Adding mymodule_resource/pre-commit
pdm.termui:  - Adding mymodule-0.1.0.dist-info/WHEEL
pdm.termui:  - Adding mymodule-0.1.0.dist-info/METADATA
pdm.termui:  - Adding mymodule-0.1.0.dist-info/license_files/LICENSES/GPL-3.0-or-later.txt
pdm.termui:  - Adding mymodule-0.1.0.dist-info/license_files/LICENSES/MIT.txt
Built wheel at /home/user/Documents/workbench/mymodule/dist/mymodule-0.1.0-py3-none-any.whl
Uploading mymodule-0.1.0-py3-none-any.whl
[PublishError]: 403 Client Error: Invalid or non-existent authentication information. See https://pypi.org/help/#invalid-auth for more 
information. for url: https://upload.pypi.org/legacy/

Expected behavior

Environment Information

pdm info && pdm info --env

PDM version:
  2.1.2
Python Interpreter:
  /home/user/Documents/workbench/mymodule/.venv/bin/python (3.10)
Project Root:
  /home/user/Documents/workbench/mymodule
Project Packages:
  None
{
  "implementation_name": "cpython",
  "implementation_version": "3.10.4",
  "os_name": "posix",
  "platform_machine": "x86_64",
  "platform_release": "5.15.0-46-generic",
  "platform_system": "Linux",
  "platform_version": "#49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022",
  "python_full_version": "3.10.4",
  "platform_python_implementation": "CPython",
  "python_version": "3.10",
  "sys_platform": "linux"
}

pyproject.toml

[project]
name = "mymodule"
version = "0.1.0"
description = "Description of my module."
authors = [
    {name = "Name", email = "name@example.com"},
]
dependencies = [
    "pygit2>=1.10.0",
]
requires-python = ">=3.10"
readme = "README.md"
license = {text = "GPL-3.0-or-later"}

[project.optional-dependencies]

[build-system]
requires = ["pdm-pep517>=1.0.0"]
build-backend = "pdm.pep517.api"

[tool]
[tool.pdm]
[tool.pdm.dev-dependencies]
dev = [
    "reuse>=1.0.0",
]
@lofidevops lofidevops added the 🐛 bug Something isn't working label Aug 21, 2022
@lofidevops
Copy link
Author

Tried installing keyring locally:

  • pdm add --dev keyring
  • Confirmed that pdm run keyring get https://upload.pypi.org/legacy/ __token__ returns the expected value.

... no change. pdm publish and pdm publish -v still return a 403 client error.

@dvzrv
Copy link

dvzrv commented Sep 1, 2022

I'm currently looking into the same and it seems that token based authentication is not available at all.

@frostming it would be really good to support it, as exposing username and password somewhere in a plaintext file or environment variable is dangerous. It would allow attackers to compromise your account and all of the packages you maintain on pypi.org.
A token would only allow them to compromise a single package and by revoking the token the mitigation can be quick and specific.

@dvzrv
Copy link

dvzrv commented Sep 2, 2022

Whops, I must have missed the section in the documentation: https://pdm.fming.dev/latest/usage/project/#configure-the-repository-secrets-for-upload

It does not state it specifically, but it seems pdm allows for the same username/password scheme as twine does. Sorry, for the noise!

@frostming frostming mentioned this issue Oct 9, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: prompt for credentials and/or keyring when publishing pdm-project/pdm
2 participants
@lofidevops @dvzrv