Description
So, PyPI is behaving as expected, but something between the attestation generation step and the upload step is renaming the wheel files with compressed tag sets. @webknjaz @woodruffw does that ring any bells?
I think this is product of some last-second normalization within
pypi-attestations:pypi-attestations"ultranormalizes" the distribution's filename by ordering the compressed tag set if present, since that's the one part of the wheel filename specification that isn't already canonical.That happens here:
In practice this is strictly superfluous, since PEP 740 says that attestation verification is done by comparing the subject (i.e. dist filename) by parsing, rather than assuming string equality. So, we could probably remove this entirely 🙂
TL:DR: This is probably happening in
pypi-attestationsand can be removed without breakage, since it's a conservative step beyond what PEP 740 requires. At the same time, I'm curious how it got surfaced here since the "ultranormalized" form only occurs within the attestation itself, while PyPI uses the form that it receives.
Originally posted by @woodruffw in #18128