错误:这些包的哈希值与 requirements 文件中的哈希值不匹配。如果您更新了包版本,请更新 requirements 文件中的哈希值。否则,请检查 requirements 文件是否正确。包 <package> 的哈希值不正确:期望 sha256=abc123... 实际得到 sha256=def456...
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes in the requirements file. Otherwise, check that the requirements file is correct. The package <package> has an incorrect hash: expected sha256=abc123... got sha256=def456...
ID: pip/requirements-file-hash-mismatch-multiple
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| pip 22.0 | active | — | — | — |
| pip 22.3 | active | — | — | — |
| pip 23.0 | active | — | — | — |
| pip 23.2 | active | — | — | — |
根因分析
requirements 文件中记录的包哈希值与下载的 wheel 的哈希值不匹配,表明下载损坏、中间人攻击或 requirements 文件过时。
English
The hash recorded in the requirements file for a package does not match the hash of the downloaded wheel, indicating either a corrupted download, a man-in-the-middle attack, or an outdated requirements file.
官方文档
https://pip.pypa.io/en/stable/topics/secure-installs/#hash-verification解决方案
-
Update the requirements file by regenerating hashes from a trusted source: pip hash <package>==<version> > new_hash.txt, then replace the hash in requirements.txt.
-
Use a requirements file without hashes temporarily: pip install -r requirements.txt --no-hash-check, then verify the package integrity manually via PyPI or official source.
-
Clear pip cache: pip cache purge, then retry with hash verification enabled.
无效尝试
常见但无效的做法:
-
80% 失败
Disables hash verification, leaving the system vulnerable to supply chain attacks; not a fix, just a bypass.
-
60% 失败
If the mirror is also compromised or serving the same corrupted file, the hash will still mismatch.
-
70% 失败
Blindly accepting the new hash defeats the purpose of hash checking; could install malicious code.