Open
Description
Filing this for myself to fix/improve 🙂
If a user uploads a funky attestation (i.e. one that doesn't roughly match our expectations for a Sigstore issued machine identity cert), the upload endpoint produces a pretty opaque error message:
WARNING Error during upload. Retry with the --verbose option for more details.
ERROR HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
Invalid attestations supplied during upload: Unknown error while trying
to verify included attestations: No
<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.14, name=Unknown OID)>
extension was found
(This particular error case was a bug, now fixed with #17913. However, in the general case this still produces a non-ideal error.)