# ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. The package <package> has an incorrect hash. It may be compromised, or a new version may have been released.

- **ID:** `pip/hash-mismatch-requirements-file`
- **Domain:** pip
- **Category:** install_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

The hash of the downloaded package does not match the hash specified in the requirements file (--hash=sha256:...), indicating either a corrupted download, a man-in-the-middle attack, or the package version was updated but the hash was not regenerated.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| pip 8.0+ | active | — | — |
| Python 2.7, 3.4-3.12 | active | — | — |

## Workarounds

1. **Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example:
pip download --no-deps <package>==1.0
pip hash <package>-1.0-py3-none-any.whl
Then replace the hash in requirements.txt.** (92% success)
   ```
   Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example:
pip download --no-deps <package>==1.0
pip hash <package>-1.0-py3-none-any.whl
Then replace the hash in requirements.txt.
   ```
2. **Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.** (80% success)
   ```
   Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.
   ```
3. **Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt** (85% success)
   ```
   Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt
   ```

## Dead Ends

- **** — This disables security verification entirely, leaving the system vulnerable to compromised packages. (95% fail)
- **** — This undermines the integrity check and may allow malicious packages if the source is untrusted. (90% fail)
- **** — The hash is deterministic for a given package version; re-downloading the same version will produce the same hash unless the server serves a different file. (99% fail)