Closed as not planned
Description
Howdy! We just had to turn off release attestations to get our releases running in langchain-ai/langchain. Haven't had a chance to dig deeper into attestation configuration in order to see what we need to fix, and thought I'd file an issue in case others run into the same thing!
Release Workflow
We run releases from the two workflow files edited in ^ that PR
- _release.yml, which calls _test_release.yml, and then publishes to pypi
- _test_release.yml for publishing to test.pypi
Error
We were seeing errors in your releases, e.g. in this workflow run: https://github.com/langchain-ai/langchain/actions/runs/11602468120/job/32307568692
Configuration of test release - 2 main things that look weird are /legacy/ and repository_url (we configure repository-url per docs)
Run pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: libs/core/dist/
verbose: true
print-hash: true
repository-url: https://test.pypi.org/legacy/
skip-existing: true
user: __token__
repository_url: https://upload.pypi.org/legacy/
packages_dir: dist
verify_metadata: true
skip_existing: false
print_hash: false
attestations: true
env:
POETRY_VERSION: 1.7.1
PYTHON_VERSION: [3](https://github.com/langchain-ai/langchain/actions/runs/11602468120/job/32307568692#step:5:3).10
Logs - partially redacted
Checking libs/core/dist/langchain_core-0.3.14-py3-none-any.whl: PASSED
Checking libs/core/dist/langchain_core-0.3.14.tar.gz: PASSED
Notice: Generating and uploading digital attestations
Fulcio client using URL: https://fulcio.sigstore.dev
TUF metadata: /root/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev
TUF targets cache: /root/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev
Found and verified trusted root
Generating ephemeral keys...
Requesting ephemeral certificate...
Retrieving signed certificate...
Found <Name(O=sigstore.dev,CN=sigstore-intermediate)> as issuer, verifying if it is a ca
attempting to verify SCT with key ID xxx
Successfully verified SCT...
DSSE PAE: xxx
proposed: xxx
integrated: xxx
Transparency log entry created with index: 145293525
DSSE PAE: xxx
proposed: xxx
integrated: xxx
Transparency log entry created with index: 145293526
Showing hash values of files to be uploaded:
/github/workspace/libs/core/dist/langchain_core-0.3.14-py3-none-any.whl
SHA256: xxx
MD5: xxx
BLAKE2-256: xxx
/github/workspace/libs/core/dist/langchain_core-0.3.14.tar.gz
SHA256: xxx
MD5: xxx
BLAKE2-256: xxx
/github/workspace/libs/core/dist/langchain_core-0.3.14-py3-none-any.whl.publish.attestation
SHA256: xxx
MD5: xxx
BLAKE2-256: xxx
/github/workspace/libs/core/dist/langchain_core-0.3.14.tar.gz.publish.attestation
SHA256: xxx
MD5: xxx
BLAKE2-256: xxx
Uploading distributions to https://test.pypi.org/legacy/
INFO libs/core/dist/langchain_core-0.3.14-py3-none-any.whl (399.1 KB)
INFO libs/core/dist/langchain_core-0.3.14.tar.gz (320.2 KB)
INFO password set by command options
INFO username: __token__
INFO password: <hidden>
Uploading langchain_core-0.3.14-py3-none-any.whl
INFO Response from https://test.pypi.org/legacy/:
400 Bad Request
INFO <html>
<head>
<title>400 Could not verify the uploaded artifact using the included
attestation: Verification failed: 0 of 2 policies succeeded</title>
</head>
<body>
<h1>400 Could not verify the uploaded artifact using the included
attestation: Verification failed: 0 of 2 policies succeeded</h1>
The server could not comply with the request since it is either
malformed or otherwise incorrect.<br/><br/>
Could not verify the uploaded artifact using the included attestation:
Verification failed: 0 of 2 policies succeeded
</body>
</html>
ERROR HTTPError: 400 Bad Request from https://test.pypi.org/legacy/
Temporary Fix
We turned off attestations with attestations: false