Skip to content
Latchkey

pip "THESE PACKAGES DO NOT MATCH THE HASHES" - Fix Hash Mismatch

With hash-checking on, pip computed the hash of a downloaded file and it did not match any hash you pinned. Either the recorded hashes are stale/incomplete, or the download differs from what you locked.

What this error means

pip aborts with "THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE", showing the expected and the got hashes. It happens with --require-hashes or a hashed lockfile after the upstream artifact or the file set changed.

pip output
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.
    certifi==2024.2.2 from https://.../certifi-2024.2.2-py3-none-any.whl:
        Expected sha256 0e8f6...
             Got        a1b2c...

Common causes

Pinned hashes are stale or incomplete

The package was re-released, or your lockfile only recorded the wheel hash while pip is downloading an sdist (or a different-platform wheel) whose hash you never pinned.

A different artifact than you locked

A mirror serving a rebuilt or tampered file, or a resolver picking a different file for this platform/Python, yields a hash that does not match the locked one.

A corrupted or truncated download

A partial download over a flaky link produces a file whose hash differs from the genuine artifact.

How to fix it

Regenerate the hashed lockfile

Re-compile the lockfile with hashes so every file pip might choose is covered.

Terminal
pip install pip-tools
pip-compile --generate-hashes requirements.in
# verify install with hashes
pip install --require-hashes -r requirements.txt

Clear the cache and re-download

If a corrupted cached file is the culprit, purge it and retry.

Terminal
pip cache purge
pip install --no-cache-dir --require-hashes -r requirements.txt

Pin all valid hashes for a package

  1. Include hashes for every artifact pip may select (each wheel and the sdist).
  2. Pin exact == versions so a re-release cannot change the file under you.
  3. Use a single trusted index so a mirror cannot serve a different file.

How to prevent it

  • Generate hashes with a lockfile tool, not by hand.
  • Pin exact versions alongside hashes so re-releases do not break.
  • Use one trusted index to keep artifacts consistent.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →