Unable to read from package registry, composer and/or maven

I can’t install private packages stored on gitlab, I use my organization gitlab installation where I’m not the admin.

I’ve problems with maven and composer but in this post I will focus on composer

I followed all the instructions present at Composer packages in the Package Registry | GitLab
and uploaded packages with success.

The troubles occur when I configure the app via composer.json (repository, auth.json and friends) to install the package.
I receive an error on downloaded (by composer) zip file, composer can’t unzip because it is a json text content containing the error message “Not found”

I tried, personal access token, project access token and deploy token the problem is always the same

The gitlab installation allows only private repositories so I can’t check if the problem occurs with public projects, too.

The “Not found” is too generic, I suspect it doesn’ find the project but the ID used is correct, also the group id is correct

have you some hints?

To recap my env

  • self installed gitlab.com v15.6.2
  • only private repositories can be created
  • composer packages are correctly created and visible under Packages and Registries → Package Registry
  • the packages can’t be installed using composer req orgName/packageName
  • the error is related to the zip file containing a JSON with inside the error message “not found”

thanks in advance

Have you double-checked your composer.json and auth.json? Do not forget that for self-hosted instance you need to add the gitlab-domains. Optionally, share both your sanitized files.

It’s important to note that I use laravel sail, the commands executed

composer config repositories.<<my_group_id>> composer https://mydomain.com/api/v4/group/<<my_group_id>>/-/packages/composer/packages.json
composer config gitlab-token.mydomain.com <<deploy_token_username>> <<deploy_token>>
composer config gitlab-domains mydomain.com

My auth.json present at laravel project root

    "gitlab-token": {
        "mydomain.com": {
            "username": "deploy_token_username",
            "token": "deploy_token"

My composer.json modified after running the commands shown above

    "config": {
        "gitlab-domains": ["mydomain.com"]
    "repositories": [{
            "type": "composer",
            "url": "https://mydomain.com/api/v4/group/my_group_id/-/packages/composer/packages.json"

The composer.lock relevant section

            "name": "myorg/mypackage",
            "version": "1.0.0",
            "source": {
                "type": "git",
                "url": "https://mydomain.com/myorg/mypackage.git",
                "reference": "generated_red_id"
            "dist": {
                "type": "zip",
                "url": "https://mydomain.com/api/v4/projects/178/packages/composer/archives/myorg/mypackage.zip?sha=generated_red_id",
                "reference": "generated_red_id",
                "shasum": ""
            "require": {
                "sabre/xml": "^4.0"
            "require-dev": {
                "laravel/framework": "^10.27"
            "type": "library",
            "autoload": {
                "psr-4": {
                    "NS\\PackageName\\": "src/"
            "authors": [
                    "name": "my name",
                    "email": "my email"

When I run the command sail composer req myorg/mypackage:1.0.0 (please note sail) I obtain this error

./composer.json has been updated
Running composer update myorg/mypackage
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
  - Locking myorg/mypackage (1.0.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Downloading myorg/mypackage (1.0.0)
  - Installing myorg/mypackage (1.0.0): Extracting archive
    Failed to extract myorg/mypackage: (9) '/usr/bin/unzip' -qq '/var/www/html/vendor/composer/tmp-cedf1c04f10e0a874ea974d8d2e1de4e.zip' -d '/var/www/html/vendor/composer/49859cab'

  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of /var/www/html/vendor/composer/tmp-cedf1c04f10e0a874ea974d8d2e1de4e.zip or
        /var/www/html/vendor/composer/tmp-cedf1c04f10e0a874ea974d8d2e1de4e.zip.zip, and cannot find /var/www/html/vendor/composer/tmp-cedf1c04f10e0a874ea974d8d2e1de4e.zip.ZIP, period.

    The archive may contain identical file names with different capitalization (which fails on case insensitive filesystems)
    Unzip with unzip command failed, falling back to ZipArchive class
    Install of myorg/mypackage failed

In ZipDownloader.php line 222:
  '/var/www/html/vendor/composer/tmp-cedf1c04f10e0a874ea974d8d2e1de4e.zip' is not a zip archive.  

require [--dev] [--dry-run] [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--fixed] [--no-suggest] [--no-progress] [--no-update] [--no-install] [--no-audit] [--audit-format AUDIT-FORMAT] [--update-no-dev] [-w|--update-with-dependencies] [-W|--update-with-all-dependencies] [--with-dependencies] [--with-all-dependencies] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--prefer-stable] [--prefer-lowest] [--sort-packages] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--] [<packages>...]

The zip file indeed contains the text {"message":"404 Not Found"}

I tried to call directly composer API with the command shown below (note here I use the project id not the group id) but I obtain the identical error

curl --user <<deploy_token_username>>:<<deploy_token>> "https://mydomain.com/api/v4/projects/<<project_id>>/packages/composer/archives/myorg/mypackage.zip?sha=673594f85a55fe3c0eb45df7bd2fa9d95a1601ab"

GitLab will sometimes return “Not Found” when it really means “Not authorized”. Presumably this is done for security reasons, but it can make debugging a pain. If you’re sure you have the location correct, double-check your authorization.

One thing that bit us when trying to interact with GitLab’s maven repo is that different types of tokens use different HTTP header names. Make sure you’re using the right one for the type of token you’re using.

I’m pretty sure locations are correct, the tokens are created with full permissions (or scope) so I don’t know where to search the problem

I presume my issue with maven is closer to the problem related to composer but indentify the problem is a problem :smiley:

thanks for your feedback