pip install_error ai_generated true

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. The package <package> has an incorrect hash. It may be compromised, or a new version may have been released.

ID: pip/hash-mismatch-requirements-file

Also available as: JSON · Markdown · 中文
85%Fix Rate
89%Confidence
1Evidence
2023-03-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
pip 8.0+ active
Python 2.7, 3.4-3.12 active

Root Cause

The hash of the downloaded package does not match the hash specified in the requirements file (--hash=sha256:...), indicating either a corrupted download, a man-in-the-middle attack, or the package version was updated but the hash was not regenerated.

generic

中文

下载的包的哈希值与需求文件中指定的哈希值(--hash=sha256:...)不匹配,表明下载损坏、中间人攻击,或者包版本已更新但哈希值未重新生成。

Official Documentation

https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking

Workarounds

  1. 92% success Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example: pip download --no-deps <package>==1.0 pip hash <package>-1.0-py3-none-any.whl Then replace the hash in requirements.txt. 
    Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example:
pip download --no-deps <package>==1.0
pip hash <package>-1.0-py3-none-any.whl
Then replace the hash in requirements.txt.
  2. 80% success Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download. 
    Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.
  3. 85% success Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt 
    Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt

中文步骤

  1. Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example:
pip download --no-deps <package>==1.0
pip hash <package>-1.0-py3-none-any.whl
Then replace the hash in requirements.txt.
  2. Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.
  3. Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt

Dead Ends

Common approaches that don't work:

  1. 95% fail

    This disables security verification entirely, leaving the system vulnerable to compromised packages.

  2. 90% fail

    This undermines the integrity check and may allow malicious packages if the source is untrusted.

  3. 99% fail

    The hash is deterministic for a given package version; re-downloading the same version will produce the same hash unless the server serves a different file.