pip data_error ai_generated true

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes as well. Otherwise, examine the package contents carefully; someone may have tampered with them. package==1.2.3 from https://files.pythonhosted.org/packages/.../package-1.2.3.tar.gz#sha256=abc123...: Expected sha256 abc123... Got sha256 def456...

ID: pip/requirements-file-hash-mismatch-line

Also available as: JSON · Markdown · 中文
90%Fix Rate
85%Confidence
1Evidence
2023-08-20First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
pip 23.2 active
Python 3.11 active
hashin 0.17 active

Root Cause

The hash of the downloaded package file does not match the pinned hash in the requirements file, indicating either a corrupted download, a mismatch after package re-upload, or a security tampering attempt.

generic

中文

下载的包文件的哈希值与 requirements 文件中固定的哈希值不匹配,表明下载损坏、包重新上传后不匹配或存在安全篡改尝试。

Official Documentation

https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking

Workarounds

  1. 95% success Regenerate the hash for the package using 'pip hash <package>.tar.gz' and update the requirements file with the new hash. 
    Regenerate the hash for the package using 'pip hash <package>.tar.gz' and update the requirements file with the new hash.
  2. 90% success Remove the hash lines from the requirements file and re-pin with 'pip freeze > requirements.txt' to get fresh hashes. 
    Remove the hash lines from the requirements file and re-pin with 'pip freeze > requirements.txt' to get fresh hashes.
  3. 85% success Use a tool like 'hashin' to update all hashes: 'hashin --update-all package==1.2.3' 
    Use a tool like 'hashin' to update all hashes: 'hashin --update-all package==1.2.3'

中文步骤

  1. 使用 'pip hash <package>.tar.gz' 重新生成包哈希,并用新哈希更新 requirements 文件。
  2. 从 requirements 文件中移除哈希行,然后使用 'pip freeze > requirements.txt' 重新固定以获取新哈希。
  3. 使用 'hashin' 工具更新所有哈希:'hashin --update-all package==1.2.3'

Dead Ends

Common approaches that don't work:

  1. 95% fail

    Clearing pip cache with 'pip cache purge' does not fix hash mismatch; the downloaded file hash is still wrong.

  2. 90% fail

    Using --no-cache-dir forces a fresh download but if the source hash changed, it still mismatches.

  3. 50% fail

    Ignoring the error with --no-hash is insecure and may expose to tampered packages.