错误:这些包与 requirements 文件中的哈希不匹配。如果你已更新包版本,请更新 requirements 文件中的哈希。否则,请对照 PyPI 索引检查包哈希,或使用 --no-hashes 禁用哈希检查。
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, update the hashes in the requirements file. Otherwise, check the package hashes against the PyPI index or use --no-hashes to disable hash checking.
ID: pip/requirements-file-hash-mismatch
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| pip 20.0+ | active | — | — | — |
| Python 3.9 | active | — | — | — |
根因分析
下载的包文件的哈希与 requirements 文件中指定的哈希不匹配,表明下载损坏、中间人攻击或包版本更改后哈希过时。
English
The hash of the downloaded package file does not match the hash specified in the requirements file, indicating either a corrupted download, a man-in-the-middle attack, or outdated hashes after package version changes.
官方文档
https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking解决方案
-
重新生成 requirements 文件的哈希:pip freeze --hash=sha256 > new-requirements.txt
-
使用受信任索引的 pip 哈希检查模式:pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/
-
临时绕过一个包的哈希检查并重新验证:pip install --no-deps --no-hashes <package> && pip hash <package>.whl
无效尝试
常见但无效的做法:
-
Deleting the entire requirements file and recreating it manually
70% 失败
This removes all hash verification, leaving the system vulnerable to supply chain attacks, and loses the original dependency specifications.
-
Using --no-hashes flag every time
80% 失败
This disables integrity checks permanently, which is unsafe in production environments and defeats the purpose of hash verification.
-
Re-downloading the same requirements file from the same source
50% 失败
If the upstream source is compromised or the file is stale, re-downloading will yield the same mismatched hashes.