ERROR pip data_error ai_generated true

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes in the requirements file. Otherwise, check the package hashes against the PyPI index or use --no-hashes to disable hash checking.

ID: pip/requirements-file-hash-mismatch

Also available as: JSON · Markdown · 中文
85%Fix Rate
90%Confidence
1Evidence
2023-02-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
pip 20.0+ active
Python 3.9 active

Root Cause

The hash of the downloaded package file does not match the hash specified in the requirements file, indicating either a corrupted download, a man-in-the-middle attack, or outdated hashes after package version changes.

generic

中文

下载的包文件的哈希与 requirements 文件中指定的哈希不匹配,表明下载损坏、中间人攻击或包版本更改后哈希过时。

Official Documentation

https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking

Workarounds

  1. 90% success Regenerate hashes for the requirements file: pip freeze --hash=sha256 > new-requirements.txt 
    Regenerate hashes for the requirements file: pip freeze --hash=sha256 > new-requirements.txt
  2. 85% success Use pip's hash-checking mode with a trusted index: pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/ 
    Use pip's hash-checking mode with a trusted index: pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/
  3. 80% success Temporarily bypass hash checking for one package and re-verify: pip install --no-deps --no-hashes <package> && pip hash <package>.whl 
    Temporarily bypass hash checking for one package and re-verify: pip install --no-deps --no-hashes <package> && pip hash <package>.whl

中文步骤

  1. 重新生成 requirements 文件的哈希:pip freeze --hash=sha256 > new-requirements.txt
  2. 使用受信任索引的 pip 哈希检查模式:pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/
  3. 临时绕过一个包的哈希检查并重新验证:pip install --no-deps --no-hashes <package> && pip hash <package>.whl

Dead Ends

Common approaches that don't work:

  1. Deleting the entire requirements file and recreating it manually 70% fail

    This removes all hash verification, leaving the system vulnerable to supply chain attacks, and loses the original dependency specifications.

  2. Using --no-hashes flag every time 80% fail

    This disables integrity checks permanently, which is unsafe in production environments and defeats the purpose of hash verification.

  3. Re-downloading the same requirements file from the same source 50% fail

    If the upstream source is compromised or the file is stale, re-downloading will yield the same mismatched hashes.