# ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes as well. Otherwise, examine the package contents carefully; someone may have tampered with them. package==1.2.3 from https://files.pythonhosted.org/packages/.../package-1.2.3.tar.gz#sha256=abc123...: Expected sha256 abc123... Got sha256 def456... - **ID:** `pip/requirements-file-hash-mismatch-line` - **Domain:** pip - **Category:** data_error - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The hash of the downloaded package file does not match the pinned hash in the requirements file, indicating either a corrupted download, a mismatch after package re-upload, or a security tampering attempt. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | pip 23.2 | active | — | — | | Python 3.11 | active | — | — | | hashin 0.17 | active | — | — | ## Workarounds 1. **Regenerate the hash for the package using 'pip hash .tar.gz' and update the requirements file with the new hash.** (95% success) ``` Regenerate the hash for the package using 'pip hash .tar.gz' and update the requirements file with the new hash. ``` 2. **Remove the hash lines from the requirements file and re-pin with 'pip freeze > requirements.txt' to get fresh hashes.** (90% success) ``` Remove the hash lines from the requirements file and re-pin with 'pip freeze > requirements.txt' to get fresh hashes. ``` 3. **Use a tool like 'hashin' to update all hashes: 'hashin --update-all package==1.2.3'** (85% success) ``` Use a tool like 'hashin' to update all hashes: 'hashin --update-all package==1.2.3' ``` ## Dead Ends - **** — Clearing pip cache with 'pip cache purge' does not fix hash mismatch; the downloaded file hash is still wrong. (95% fail) - **** — Using --no-cache-dir forces a fresh download but if the source hash changed, it still mismatches. (90% fail) - **** — Ignoring the error with --no-hash is insecure and may expose to tampered packages. (50% fail)