ERROR
pip
data_error
ai_generated
true
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes in the requirements file. Otherwise, check that the requirements file is correct. The package <package> has an incorrect hash: expected sha256=abc123... got sha256=def456...
ID: pip/requirements-file-hash-mismatch-multiple
90%Fix Rate
90%Confidence
1Evidence
2023-02-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| pip 22.0 | active | — | — | — |
| pip 22.3 | active | — | — | — |
| pip 23.0 | active | — | — | — |
| pip 23.2 | active | — | — | — |
Root Cause
The hash recorded in the requirements file for a package does not match the hash of the downloaded wheel, indicating either a corrupted download, a man-in-the-middle attack, or an outdated requirements file.
generic中文
requirements 文件中记录的包哈希值与下载的 wheel 的哈希值不匹配,表明下载损坏、中间人攻击或 requirements 文件过时。
Official Documentation
https://pip.pypa.io/en/stable/topics/secure-installs/#hash-verificationWorkarounds
-
90% success Update the requirements file by regenerating hashes from a trusted source: pip hash <package>==<version> > new_hash.txt, then replace the hash in requirements.txt.
Update the requirements file by regenerating hashes from a trusted source: pip hash <package>==<version> > new_hash.txt, then replace the hash in requirements.txt.
-
85% success Use a requirements file without hashes temporarily: pip install -r requirements.txt --no-hash-check, then verify the package integrity manually via PyPI or official source.
Use a requirements file without hashes temporarily: pip install -r requirements.txt --no-hash-check, then verify the package integrity manually via PyPI or official source.
-
80% success Clear pip cache: pip cache purge, then retry with hash verification enabled.
Clear pip cache: pip cache purge, then retry with hash verification enabled.
中文步骤
Update the requirements file by regenerating hashes from a trusted source: pip hash <package>==<version> > new_hash.txt, then replace the hash in requirements.txt.
Use a requirements file without hashes temporarily: pip install -r requirements.txt --no-hash-check, then verify the package integrity manually via PyPI or official source.
Clear pip cache: pip cache purge, then retry with hash verification enabled.
Dead Ends
Common approaches that don't work:
-
80% fail
Disables hash verification, leaving the system vulnerable to supply chain attacks; not a fix, just a bypass.
-
60% fail
If the mirror is also compromised or serving the same corrupted file, the hash will still mismatch.
-
70% fail
Blindly accepting the new hash defeats the purpose of hash checking; could install malicious code.