{ "id": "pip/requirements-file-hash-mismatch-line", "signature": "ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes as well. Otherwise, examine the package contents carefully; someone may have tampered with them.\n package==1.2.3 from https://files.pythonhosted.org/packages/.../package-1.2.3.tar.gz#sha256=abc123...:\n Expected sha256 abc123...\n Got sha256 def456...", "signature_zh": "错误:这些包的哈希值与 requirements 文件中的不匹配。如果您更新了包版本,请同时更新哈希值。否则,请仔细检查包内容;可能有人篡改了它们。\n package==1.2.3 from https://files.pythonhosted.org/packages/.../package-1.2.3.tar.gz#sha256=abc123...:\n 期望 sha256 abc123...\n 实际 sha256 def456...", "regex": "ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE\\.\\n\\s+package==[\\d.]+ from https://[^\\s]+:\\n\\s+Expected sha256 [a-f0-9]+\\n\\s+Got\\s+sha256 [a-f0-9]+", "domain": "pip", "category": "data_error", "subcategory": null, "root_cause": "The hash of the downloaded package file does not match the pinned hash in the requirements file, indicating either a corrupted download, a mismatch after package re-upload, or a security tampering attempt.", "root_cause_type": "generic", "root_cause_zh": "下载的包文件的哈希值与 requirements 文件中固定的哈希值不匹配,表明下载损坏、包重新上传后不匹配或存在安全篡改尝试。", "versions": [ { "version": "pip 23.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Python 3.11", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "hashin 0.17", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Clearing pip cache with 'pip cache purge' does not fix hash mismatch; the downloaded file hash is still wrong.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "Using --no-cache-dir forces a fresh download but if the source hash changed, it still mismatches.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "Ignoring the error with --no-hash is insecure and may expose to tampered packages.", "fail_rate": 0.5, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Regenerate the hash for the package using 'pip hash .tar.gz' and update the requirements file with the new hash.", "success_rate": 0.95, "how": "Regenerate the hash for the package using 'pip hash .tar.gz' and update the requirements file with the new hash.", "condition": "", "sources": [] }, { "action": "Remove the hash lines from the requirements file and re-pin with 'pip freeze > requirements.txt' to get fresh hashes.", "success_rate": 0.9, "how": "Remove the hash lines from the requirements file and re-pin with 'pip freeze > requirements.txt' to get fresh hashes.", "condition": "", "sources": [] }, { "action": "Use a tool like 'hashin' to update all hashes: 'hashin --update-all package==1.2.3'", "success_rate": 0.85, "how": "Use a tool like 'hashin' to update all hashes: 'hashin --update-all package==1.2.3'", "condition": "", "sources": [] } ], "workarounds_zh": [ "使用 'pip hash .tar.gz' 重新生成包哈希,并用新哈希更新 requirements 文件。", "从 requirements 文件中移除哈希行,然后使用 'pip freeze > requirements.txt' 重新固定以获取新哈希。", "使用 'hashin' 工具更新所有哈希:'hashin --update-all package==1.2.3'" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-08-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }