pip "THESE PACKAGES DO NOT MATCH THE HASHES" - Fix Hash Mismatch
With hash-checking on, pip computed the hash of a downloaded file and it did not match any hash you pinned. Either the recorded hashes are stale/incomplete, or the download differs from what you locked.
What this error means
pip aborts with "THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE", showing the expected and the got hashes. It happens with --require-hashes or a hashed lockfile after the upstream artifact or the file set changed.
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.
certifi==2024.2.2 from https://.../certifi-2024.2.2-py3-none-any.whl:
Expected sha256 0e8f6...
Got a1b2c...Common causes
Pinned hashes are stale or incomplete
The package was re-released, or your lockfile only recorded the wheel hash while pip is downloading an sdist (or a different-platform wheel) whose hash you never pinned.
A different artifact than you locked
A mirror serving a rebuilt or tampered file, or a resolver picking a different file for this platform/Python, yields a hash that does not match the locked one.
A corrupted or truncated download
A partial download over a flaky link produces a file whose hash differs from the genuine artifact.
How to fix it
Regenerate the hashed lockfile
Re-compile the lockfile with hashes so every file pip might choose is covered.
pip install pip-tools
pip-compile --generate-hashes requirements.in
# verify install with hashes
pip install --require-hashes -r requirements.txtClear the cache and re-download
If a corrupted cached file is the culprit, purge it and retry.
pip cache purge
pip install --no-cache-dir --require-hashes -r requirements.txtPin all valid hashes for a package
- Include hashes for every artifact pip may select (each wheel and the sdist).
- Pin exact
==versions so a re-release cannot change the file under you. - Use a single trusted index so a mirror cannot serve a different file.
How to prevent it
- Generate hashes with a lockfile tool, not by hand.
- Pin exact versions alongside hashes so re-releases do not break.
- Use one trusted index to keep artifacts consistent.