Problem
When publishing an artifact with auths artifact publish --package npm:react@18.3.0, the --package flag value is not stored in artifact_attestations.package_name. Instead, the raw filename from the attestation JSON body (e.g., react-18.3.0.tar.gz) is stored.
Root cause
The publish handler in routes/artifacts.rs correctly reads --package from the request body (line 109-113) and passes it to the response. But when routing through the sequencer (line 120-154), the package_name is NOT included in the EntryContent. The sequencer's attest handler (sequencer/mod.rs:958-966) extracts package_name from attestation_value["payload"]["name"] — the raw filename.
Current workaround
We patched this by injecting _package_name into the attestation value before passing to the sequencer:
// routes/artifacts.rs
if let Some(ref pkg) = package_name {
if let Some(obj) = attest_value.as_object_mut() {
obj.insert("_package_name".to_string(), serde_json::Value::String(pkg.clone()));
}
}And the sequencer prefers _package_name over payload.name:
// sequencer/mod.rs
let package_name = attestation_value
.get("_package_name")
.and_then(|n| n.as_str())
.filter(|s| !s.is_empty())
.or_else(|| attestation_value.get("payload").and_then(|p| p.get("name")).and_then(|n| n.as_str()))This works but is a band-aid.
Proper fix
The attestation JSON payload should carry the ecosystem-qualified package name from the CLI, not the raw filename. The fix should flow through:
- CLI
artifact sign — the signed attestation payload should include the --package name if provided
- CLI
artifact publish — should not need to pass package_name separately; it should already be in the attestation
- Sequencer — should read from the standard attestation payload field, not a side-channel
_package_name
Files
| File |
Current behavior |
Expected |
auths/crates/auths-cli/src/commands/artifact/sign.rs |
Attestation payload name = filename |
Should accept --package and include it |
auths/crates/auths-cli/src/commands/artifact/publish.rs |
Sends package_name as separate field |
Should be in the attestation already |
auths-cloud/.../routes/artifacts.rs |
Injects _package_name band-aid |
Remove band-aid, read from attestation |
auths-cloud/.../sequencer/mod.rs |
Prefers _package_name over payload.name |
Read from standard field |
Impact
Without the fix, every artifact published without the workaround creates entries with raw filenames instead of ecosystem-qualified names, breaking the versions/health/badge endpoints.
Problem
When publishing an artifact with
auths artifact publish --package npm:react@18.3.0, the--packageflag value is not stored inartifact_attestations.package_name. Instead, the raw filename from the attestation JSON body (e.g.,react-18.3.0.tar.gz) is stored.Root cause
The publish handler in
routes/artifacts.rscorrectly reads--packagefrom the request body (line 109-113) and passes it to the response. But when routing through the sequencer (line 120-154), thepackage_nameis NOT included in theEntryContent. The sequencer's attest handler (sequencer/mod.rs:958-966) extractspackage_namefromattestation_value["payload"]["name"]— the raw filename.Current workaround
We patched this by injecting
_package_nameinto the attestation value before passing to the sequencer:And the sequencer prefers
_package_nameoverpayload.name:This works but is a band-aid.
Proper fix
The attestation JSON payload should carry the ecosystem-qualified package name from the CLI, not the raw filename. The fix should flow through:
artifact sign— the signed attestation payload should include the--packagename if providedartifact publish— should not need to passpackage_nameseparately; it should already be in the attestation_package_nameFiles
auths/crates/auths-cli/src/commands/artifact/sign.rsname= filename--packageand include itauths/crates/auths-cli/src/commands/artifact/publish.rspackage_nameas separate fieldauths-cloud/.../routes/artifacts.rs_package_nameband-aidauths-cloud/.../sequencer/mod.rs_package_nameoverpayload.nameImpact
Without the fix, every artifact published without the workaround creates entries with raw filenames instead of ecosystem-qualified names, breaking the versions/health/badge endpoints.