# ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes in the requirements file. Otherwise, check the package hashes against the PyPI index or use --no-hashes to disable hash checking. - **ID:** `pip/requirements-file-hash-mismatch` - **Domain:** pip - **Category:** data_error - **Error Code:** `ERROR` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause The hash of the downloaded package file does not match the hash specified in the requirements file, indicating either a corrupted download, a man-in-the-middle attack, or outdated hashes after package version changes. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | pip 20.0+ | active | — | — | | Python 3.9 | active | — | — | ## Workarounds 1. **Regenerate hashes for the requirements file: pip freeze --hash=sha256 > new-requirements.txt** (90% success) ``` Regenerate hashes for the requirements file: pip freeze --hash=sha256 > new-requirements.txt ``` 2. **Use pip's hash-checking mode with a trusted index: pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/** (85% success) ``` Use pip's hash-checking mode with a trusted index: pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/ ``` 3. **Temporarily bypass hash checking for one package and re-verify: pip install --no-deps --no-hashes && pip hash .whl** (80% success) ``` Temporarily bypass hash checking for one package and re-verify: pip install --no-deps --no-hashes && pip hash .whl ``` ## Dead Ends - **Deleting the entire requirements file and recreating it manually** — This removes all hash verification, leaving the system vulnerable to supply chain attacks, and loses the original dependency specifications. (70% fail) - **Using --no-hashes flag every time** — This disables integrity checks permanently, which is unsafe in production environments and defeats the purpose of hash verification. (80% fail) - **Re-downloading the same requirements file from the same source** — If the upstream source is compromised or the file is stale, re-downloading will yield the same mismatched hashes. (50% fail)