{ "id": "pip/hash-mismatch-requirements-file", "signature": "ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. The package has an incorrect hash. It may be compromised, or a new version may have been released.", "signature_zh": "错误:这些包与需求文件中的哈希值不匹配。包 的哈希值不正确。它可能已被篡改,或者发布了新版本。", "regex": "ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE\\. The package .* has an incorrect hash\\.", "domain": "pip", "category": "install_error", "subcategory": null, "root_cause": "The hash of the downloaded package does not match the hash specified in the requirements file (--hash=sha256:...), indicating either a corrupted download, a man-in-the-middle attack, or the package version was updated but the hash was not regenerated.", "root_cause_type": "generic", "root_cause_zh": "下载的包的哈希值与需求文件中指定的哈希值(--hash=sha256:...)不匹配,表明下载损坏、中间人攻击,或者包版本已更新但哈希值未重新生成。", "versions": [ { "version": "pip 8.0+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Python 2.7, 3.4-3.12", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "This disables security verification entirely, leaving the system vulnerable to compromised packages.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "This undermines the integrity check and may allow malicious packages if the source is untrusted.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "The hash is deterministic for a given package version; re-downloading the same version will produce the same hash unless the server serves a different file.", "fail_rate": 0.99, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Regenerate the hash for the correct package version by running: pip hash .whl, then update the requirements file with the new hash. Example:\npip download --no-deps ==1.0\npip hash -1.0-py3-none-any.whl\nThen replace the hash in requirements.txt.", "success_rate": 0.92, "how": "Regenerate the hash for the correct package version by running: pip hash .whl, then update the requirements file with the new hash. Example:\npip download --no-deps ==1.0\npip hash -1.0-py3-none-any.whl\nThen replace the hash in requirements.txt.", "condition": "", "sources": [] }, { "action": "Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.", "success_rate": 0.8, "how": "Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.", "condition": "", "sources": [] }, { "action": "Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt", "success_rate": 0.85, "how": "Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt", "condition": "", "sources": [] } ], "workarounds_zh": [ "Regenerate the hash for the correct package version by running: pip hash .whl, then update the requirements file with the new hash. Example:\npip download --no-deps ==1.0\npip hash -1.0-py3-none-any.whl\nThen replace the hash in requirements.txt.", "Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.", "Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.89, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2023-03-01", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }