pip data_error ai_generated true

错误:这些包的哈希值与 requirements 文件中的不匹配。如果您更新了包版本,请同时更新哈希值。否则,请仔细检查包内容;可能有人篡改了它们。 package==1.2.3 from https://files.pythonhosted.org/packages/.../package-1.2.3.tar.gz#sha256=abc123...: 期望 sha256 abc123... 实际 sha256 def456...

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes as well. Otherwise, examine the package contents carefully; someone may have tampered with them. package==1.2.3 from https://files.pythonhosted.org/packages/.../package-1.2.3.tar.gz#sha256=abc123...: Expected sha256 abc123... Got sha256 def456...

ID: pip/requirements-file-hash-mismatch-line

其他格式: JSON · Markdown 中文 · English
90%修复率
85%置信度
1证据数
2023-08-20首次发现

版本兼容性

版本状态引入弃用备注
pip 23.2 active
Python 3.11 active
hashin 0.17 active

根因分析

下载的包文件的哈希值与 requirements 文件中固定的哈希值不匹配,表明下载损坏、包重新上传后不匹配或存在安全篡改尝试。

English

The hash of the downloaded package file does not match the pinned hash in the requirements file, indicating either a corrupted download, a mismatch after package re-upload, or a security tampering attempt.

generic

官方文档

https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking

解决方案

  1. 使用 'pip hash <package>.tar.gz' 重新生成包哈希,并用新哈希更新 requirements 文件。
  2. 从 requirements 文件中移除哈希行,然后使用 'pip freeze > requirements.txt' 重新固定以获取新哈希。
  3. 使用 'hashin' 工具更新所有哈希:'hashin --update-all package==1.2.3'

无效尝试

常见但无效的做法:

  1. 95% 失败

    Clearing pip cache with 'pip cache purge' does not fix hash mismatch; the downloaded file hash is still wrong.

  2. 90% 失败

    Using --no-cache-dir forces a fresh download but if the source hash changed, it still mismatches.

  3. 50% 失败

    Ignoring the error with --no-hash is insecure and may expose to tampered packages.