pip install_error ai_generated true

错误:这些包与需求文件中的哈希值不匹配。包 <package> 的哈希值不正确。它可能已被篡改,或者发布了新版本。

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. The package <package> has an incorrect hash. It may be compromised, or a new version may have been released.

ID: pip/hash-mismatch-requirements-file

其他格式: JSON · Markdown 中文 · English
85%修复率
89%置信度
1证据数
2023-03-01首次发现

版本兼容性

版本状态引入弃用备注
pip 8.0+ active
Python 2.7, 3.4-3.12 active

根因分析

下载的包的哈希值与需求文件中指定的哈希值(--hash=sha256:...)不匹配,表明下载损坏、中间人攻击,或者包版本已更新但哈希值未重新生成。

English

The hash of the downloaded package does not match the hash specified in the requirements file (--hash=sha256:...), indicating either a corrupted download, a man-in-the-middle attack, or the package version was updated but the hash was not regenerated.

generic

官方文档

https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking

解决方案

  1. Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example:
pip download --no-deps <package>==1.0
pip hash <package>-1.0-py3-none-any.whl
Then replace the hash in requirements.txt.
  2. Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.
  3. Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt

无效尝试

常见但无效的做法:

  1. 95% 失败

    This disables security verification entirely, leaving the system vulnerable to compromised packages.

  2. 90% 失败

    This undermines the integrity check and may allow malicious packages if the source is untrusted.

  3. 99% 失败

    The hash is deterministic for a given package version; re-downloading the same version will produce the same hash unless the server serves a different file.