Improve "invalid macaroon signature" error

[di]

Right now, an API token can fail for a number of reasons, most of which produce an "invalid macaroon signature" exception.

https://github.com/pypa/warehouse/blob/aafc5185e57e67d43487ce4faa95913dd4573e14/warehouse/macaroons/caveats.py#L93

Common issues that could use more detailed error messages:

• the API token is scoped for a different project than it's being used for
• the API token is malformed and cannot be deserialized
• the API token doesn't begin with pypi-
• (probably more)

[ewjoachim]

If we're touching this part, do you think we could try and merge #8598 first ?

[di]

Yes, agreed, just wanted to capture the issue.

[achimnol]

This also may happen when the target repository does not exist yet when using an "all projects" API token. In such cases I had to first create the project by uploading using the human account credential.

But still, I'm currently debugging one of my repo facing this error, with correctly configured org-level secrets and environment variables on GitHub workflows, while many other repositories with the same token work well with the same token, and where that particular project is created using the human credential after failing with the org-configured "all projects" token and the repository name was renamed.

I tried upgrading twine from 1.x to 3.4 but had no luck yet. I'd like to see more detailed information related to this error.

[ewjoachim]

#9264 will bring much more detailed error messages.

Nevertheless, what you experience with the first upload is not the expected behavior, but it belongs to another issue. Can you open a new issue ? (Feel free to ping me)

[woodruffw]

#11122 will refactor some of the code responsible for the error handling here, hopefully making it easier to resolve this.

[woodruffw]

Another update: I figured out a relatively straightforward way to propagate the error messages we added with #11122, so I'll have a PR that resolves this soon.

[woodruffw]

Fixed by #11885.