Invalid API Token: InvalidMacaroon('invalid macaroon signature')

[HotelCalifornia]

Describe the bug

When attempting to upload a package to PyPi using twine and an API token, the server responded with HTTP 403, saying that the API token was invalid due to an invalid macaroon signature.

The key in question was generated less than a day ago, and has not worked once since its inception.

Expected behavior

The package is successfully uploaded to PyPi.

To Reproduce

1. generate project-scoped API token on pypi.org with permission to upload packages
2. set up .pypirc file with the information (see below)
3. run twine upload

My Platform

using twine 3.3.0 on an azure devops agent (vs2017-win2016), reproduced locally on a ubuntu 20.04 instance with the same .pypirc and twine version

Additional context

Presumably related to #8554 and #8565

.pypirc:

[distutils]
  index-servers =
      pypi

[pypi]
  repository = https://upload.pypi.org/legacy/
  username = __token__
  password = <hidden>

Logs

Azure:

2021-01-24T18:48:40.5039786Z Generating script.
2021-01-24T18:48:40.5150417Z Script contents:
2021-01-24T18:48:40.5157086Z twine upload --verbose --config-file D:\a\_temp\.pypirc D:\a\r1\a/pros-cli/pros_cli-3.1.5-commit+5c6238e-linux-x64/*.whl
2021-01-24T18:48:40.5515160Z ========================== Starting Command Output ===========================
2021-01-24T18:48:40.5786443Z ##[command]"C:\windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "D:\a\_temp\0c4df389-ca59-46f6-9504-c7b0a3d37f1c.cmd""
2021-01-24T18:48:41.7716729Z Using configuration from D:\a\_temp\.pypirc
2021-01-24T18:48:41.7739361Z Uploading distributions to https://upload.pypi.org/legacy/
2021-01-24T18:48:41.7739872Z   D:\a\r1\a/pros-cli/pros_cli-3.1.5-commit+5c6238e-linux-x64\pros_cli_v5-3.1.5rc18-py3-none-any.whl (112.4 KB)
2021-01-24T18:48:41.7740213Z username set from config file
2021-01-24T18:48:41.7740492Z password set from config file
2021-01-24T18:48:41.7742912Z username: __token__
2021-01-24T18:48:41.7743455Z password: <hidden>
2021-01-24T18:48:41.8916022Z Uploading pros_cli_v5-3.1.5rc18-py3-none-any.whl
2021-01-24T18:48:41.8916368Z 
2021-01-24T18:48:42.2320711Z   0%|          | 0.00/117k [00:00<?, ?B/s]
2021-01-24T18:48:42.3881343Z   7%|6         | 8.00k/117k [00:00<00:04, 24.1kB/s]
2021-01-24T18:48:42.7618404Z  75%|#######5  | 88.0k/117k [00:00<00:00, 222kB/s] 
2021-01-24T18:48:42.7620115Z 100%|##########| 117k/117k [00:00<00:00, 137kB/s] 
2021-01-24T18:48:42.7620762Z Content received from server:
2021-01-24T18:48:42.7621280Z <html>
2021-01-24T18:48:42.7621718Z  <head>
2021-01-24T18:48:42.7622321Z   <title>403 Invalid API Token: InvalidMacaroon('invalid macaroon signature')</title>
2021-01-24T18:48:42.7622904Z  </head>
2021-01-24T18:48:42.7623365Z  <body>
2021-01-24T18:48:42.7624082Z   <h1>403 Invalid API Token: InvalidMacaroon('invalid macaroon signature')</h1>
2021-01-24T18:48:42.7625047Z   Access was denied to this resource.<br/><br/>
2021-01-24T18:48:42.7625806Z Invalid API Token: InvalidMacaroon(&#x27;invalid macaroon signature&#x27;)
2021-01-24T18:48:42.7626355Z 
2021-01-24T18:48:42.7626745Z 
2021-01-24T18:48:42.7627172Z  </body>
2021-01-24T18:48:42.7627626Z </html>
2021-01-24T18:48:42.7641124Z HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/
2021-01-24T18:48:42.7641520Z Invalid API Token: InvalidMacaroon('invalid macaroon signature')
2021-01-24T18:48:42.8763716Z ##[error]Cmd.exe exited with code '1'.

Local:

#>> twine upload --verbose dist/*.whl
Using configuration from /home/hotel/.pypirc
Uploading distributions to https://upload.pypi.org/legacy/
  dist/pros_cli_v5-3.1.5a18-py3-none-any.whl (112.4 KB)
username set from config file
password set from config file
username: __token__
password: <hidden>
Uploading pros_cli_v5-3.1.5a18-py3-none-any.whl
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 117k/117k [00:00<00:00, 212kB/s]
Content received from server:
<html>
 <head>
  <title>403 Invalid API Token: InvalidMacaroon('invalid macaroon signature')</title>
 </head>
 <body>
  <h1>403 Invalid API Token: InvalidMacaroon('invalid macaroon signature')</h1>
  Access was denied to this resource.<br/><br/>
Invalid API Token: InvalidMacaroon(&#x27;invalid macaroon signature&#x27;)


 </body>
</html>
HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/
Invalid API Token: InvalidMacaroon('invalid macaroon signature')

[HotelCalifornia]

Also may be worth noting that the PyPi account dashboard claims the token has never been used.

[di]

Can you check if the token works when invoking twine with the password directly rather than using it in the .pypirc file? E.g.:

$ twine upload -u __token__ -p <password> dist/*

[HotelCalifornia]

Can you check if the token works when invoking twine with the password directly rather than using it in the .pypirc file? E.g.:

$ twine upload -u __token__ -p <password> dist/*

looks to give the same error

[di]

It looks like you're trying to upload a distribution with the project name pros_cli_v5, is this supposed to be pros_cli? It doesn't look like the former exists.

[HotelCalifornia]

oh man, i guess that decision has finally come back to bite us in the ass... 😅

I'll change the distribution name and give that a shot. Any chance the error message could be updated to make it clear what's happening? Might help people in the future...

[HotelCalifornia]

Yep, that fixed it. Thanks for the help!

[di]

Created #9018 to capture that.