# 错误：这些包与 requirements 文件中的哈希不匹配。如果你已更新包版本，请更新 requirements 文件中的哈希。否则，请对照 PyPI 索引检查包哈希，或使用 --no-hashes 禁用哈希检查。

- **ID:** `pip/requirements-file-hash-mismatch`
- **领域:** pip
- **类别:** data_error
- **错误码:** `ERROR`
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

下载的包文件的哈希与 requirements 文件中指定的哈希不匹配，表明下载损坏、中间人攻击或包版本更改后哈希过时。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| pip 20.0+ | active | — | — |
| Python 3.9 | active | — | — |

## 解决方案

1. ```
   重新生成 requirements 文件的哈希：pip freeze --hash=sha256 > new-requirements.txt
   ```
2. ```
   使用受信任索引的 pip 哈希检查模式：pip install --require-hashes -r requirements.txt --index-url https://pypi.org/simple/
   ```
3. ```
   临时绕过一个包的哈希检查并重新验证：pip install --no-deps --no-hashes <package> && pip hash <package>.whl
   ```

## 无效尝试

- **Deleting the entire requirements file and recreating it manually** — This removes all hash verification, leaving the system vulnerable to supply chain attacks, and loses the original dependency specifications. (70% 失败率)
- **Using --no-hashes flag every time** — This disables integrity checks permanently, which is unsafe in production environments and defeats the purpose of hash verification. (80% 失败率)
- **Re-downloading the same requirements file from the same source** — If the upstream source is compromised or the file is stale, re-downloading will yield the same mismatched hashes. (50% 失败率)