# 错误：这些包与需求文件中的哈希值不匹配。包 <package> 的哈希值不正确。它可能已被篡改，或者发布了新版本。

- **ID:** `pip/hash-mismatch-requirements-file`
- **领域:** pip
- **类别:** install_error
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

下载的包的哈希值与需求文件中指定的哈希值（--hash=sha256:...）不匹配，表明下载损坏、中间人攻击，或者包版本已更新但哈希值未重新生成。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| pip 8.0+ | active | — | — |
| Python 2.7, 3.4-3.12 | active | — | — |

## 解决方案

1. ```
   Regenerate the hash for the correct package version by running: pip hash <package>.whl, then update the requirements file with the new hash. Example:
pip download --no-deps <package>==1.0
pip hash <package>-1.0-py3-none-any.whl
Then replace the hash in requirements.txt.
   ```
2. ```
   Clear the pip cache and retry: pip cache purge && pip install --require-hashes -r requirements.txt. This ensures a fresh download.
   ```
3. ```
   Use a trusted mirror or PyPI directly: pip install --index-url https://pypi.org/simple --require-hashes -r requirements.txt
   ```

## 无效尝试

- **** — This disables security verification entirely, leaving the system vulnerable to compromised packages. (95% 失败率)
- **** — This undermines the integrity check and may allow malicious packages if the source is untrusted. (90% 失败率)
- **** — The hash is deterministic for a given package version; re-downloading the same version will produce the same hash unless the server serves a different file. (99% 失败率)