search

linkedin / qark

Tool to look for several security related Android application vulnerabilities
Other
3.2k stars 643 forks source link

requirements.txt check failed #292

Open noraj opened 5 years ago

noraj commented 5 years ago

When I was doing pip install -r requirements.txt I got, specifying hashes will break the install each time there is any update of a pypi dependency.

THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampere
d with them.                                                                                                                                                                                                      
    cffi==1.11.5 from https://files.pythonhosted.org/packages/51/7b/d1014289d0578c3522b2798b9cb87c65e5b36798bd3ae68a75fa1fe09e78/cffi-1.11.5-cp37-cp37m-manylinux1_x86_64.whl#sha256=a6a5cb8809091ec9ac03edde9304b
3ad82ad4466333432b16d78ef40e0cce0d5 (from -r requirements.txt (line 9)):                                                                                                                                          
        Expected sha256 151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743
        Expected     or 1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef
        Expected     or 1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50
        Expected     or 2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f
        Expected     or 3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93
        Expected     or 3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257
        Expected     or 4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3
        Expected     or 770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc
        Expected     or 79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04
        Expected     or 7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6
        Expected     or 857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359
        Expected     or 87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596
        Expected     or 95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b
        Expected     or 9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd
        Expected     or a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95
        Expected     or ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e
        Expected     or b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6
        Expected     or b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca
        Expected     or ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31
        Expected     or be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1
        Expected     or d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085
        Expected     or e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801
        Expected     or e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4
        Expected     or ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184
        Expected     or ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917
        Expected     or edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f
        Expected     or fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb
             Got        a6a5cb8809091ec9ac03edde9304b3ad82ad4466333432b16d78ef40e0cce0d5

PS : I have the same issue with the updated requirements.txt

noraj commented 5 years ago

Updated file with pip-compile --generate-hashes --output-file requirements.txt requirements_to_freeze.txt

#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes --output-file requirements.txt requirements_to_freeze.txt
#
asn1crypto==0.24.0 \
    --hash=sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87 \
    --hash=sha256:9d5c20441baf0cb60a4ac34cc447c6c189024b6b4c6cd7877034f4965c464e49 \
    # via cryptography
certifi==2018.1.18 \
    --hash=sha256:14131608ad2fd56836d33a71ee60fa1c82bc9d2c8d98b7bdbc631fe1b3cd1296 \
    --hash=sha256:edbc3f203427eef571f79a7692bb160a2b0f7ccaa31953e99bd17e307cf63f7d \
    # via requests
cffi==1.11.5 \
    --hash=sha256:151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743 \
    --hash=sha256:1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef \
    --hash=sha256:1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50 \
    --hash=sha256:2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f \
    --hash=sha256:3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93 \
    --hash=sha256:3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257 \
    --hash=sha256:4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3 \
    --hash=sha256:770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc \
    --hash=sha256:79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04 \
    --hash=sha256:7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6 \
    --hash=sha256:857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359 \
    --hash=sha256:87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596 \
    --hash=sha256:95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b \
    --hash=sha256:9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd \
    --hash=sha256:a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95 \
    --hash=sha256:ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e \
    --hash=sha256:b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6 \
    --hash=sha256:b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca \
    --hash=sha256:ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31 \
    --hash=sha256:be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1 \
    --hash=sha256:d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085 \
    --hash=sha256:e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801 \
    --hash=sha256:e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4 \
    --hash=sha256:ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184 \
    --hash=sha256:ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917 \
    --hash=sha256:edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f \
    --hash=sha256:fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb \
    # via cryptography
chardet==3.0.4 \
    --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \
    --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691 \
    # via requests
click==6.7 \
    --hash=sha256:29f99fc6125fbc931b758dc053b3114e55c77a6e4c6c3a2674a2dc986016381d \
    --hash=sha256:f15516df478d5a56180fbf80e68f206010e6d160fc39fa508b65e035fd75130b
cryptography==2.2.1 \
    --hash=sha256:0f61273eccc681dc5a77dcd517cc2cb74078d1b00adb2b273d0a010153ae43c7 \
    --hash=sha256:27dd18e180608c512433c843ad2d62396399608a0f3603c4d805500caeeec3d6 \
    --hash=sha256:2893ee1d67dace6178732c9ea8c176fedf5b6a6463f72f1378b779cdba8a0ea5 \
    --hash=sha256:2c5265c622e02af289bdc5e96c0a572bffa2fc2ac3f86fac3bace632ab25888c \
    --hash=sha256:34a433c3783946106236c25a89e0c271a3bb1a8e8cd8f12782e8bf8bec4e351e \
    --hash=sha256:39532ae44154ce88eec25d2a361e9c285b2477e0a4b4fc61fb9d4bcb3804dec6 \
    --hash=sha256:469a72fda257b2179bb43e431b822d8087da53b40e68813bcfa54a16c3ebcdfe \
    --hash=sha256:54029ce210d3013dccced6478f4dfb25e7a409e13086f714be9c14489c64e2c7 \
    --hash=sha256:54776f1e2ffd957571b79738fb41d8df69a93edb6d148ca149494d73975e8cab \
    --hash=sha256:84642ad31dccf9969b2613fa532ff5e871e9ee592ab0244dc9f6724e56591b8b \
    --hash=sha256:8ce363eed7ccc70f53be6ea4200aa20bbff99c8cbfce21a904f98e76c2bf5887 \
    --hash=sha256:95b7822c8bf203bafb95527eaf8995d9dd4eef1b6899631f9293aa6926dab1d9 \
    --hash=sha256:9f2d66952fc55f13f9c62ea6ae6ff88c2f9c2c21533065e1f7bddf0cf33c4cb9 \
    --hash=sha256:c27ed8b01d5feeff8479384ed782bad1e5071563f47194703f0dc20c1b558503 \
    --hash=sha256:cf1069fda0c8e1d2bbef2cf0de0be797860c8a34d1df3a24f1180045fc06974f \
    --hash=sha256:dddad9d322a3f0867009ff9f25477b8f7c0bdbedf143704b384c9472f11cb2d3 \
    --hash=sha256:e42b290eb7804d82c6d614b55e3b726dee464099a0e6240175f8d7b682b9295d \
    # via pyopenssl, requests
idna==2.6 \
    --hash=sha256:2c6a5de3089009e3da7c5dde64a141dbc8551d5b7f6cf4ed7c2568d0cc520a8f \
    --hash=sha256:8c7309c718f94b3a625cb648ace320157ad16ff131ae0af362c9f21b80ef6ec4 \
    # via cryptography, requests
javalang==0.11.0 \
    --hash=sha256:3fcab8c0d4a1c51512bc7de1f4aaf9de8fb582833746b572478da6c0ac318a0b
jinja2==2.10 \
    --hash=sha256:74c935a1b8bb9a3947c50a54766a969d4846290e1e788ea44c1392163723c3bd \
    --hash=sha256:f84be1bb0040caca4cea721fcbbbbd61f9be9464ca236387158b0feea01914a4
markupsafe==1.0 \
    --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665 \
    # via jinja2
pluginbase==0.5 \
    --hash=sha256:b4f830242a078a4f44c978a84f3365bba4d008fdd71a591c71447f4df35354dd
pycparser==2.18 \
    --hash=sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226 \
    # via cffi
pyopenssl==17.5.0 \
    --hash=sha256:07a2de1a54de07448732a81e38a55df7da109b2f47f599f8bb35b0cbec69d4bd \
    --hash=sha256:2c10cfba46a52c0b0950118981d61e72c1e5b1aac451ca1bc77de1a679456773 \
    # via requests
requests[security]==2.18.4 \
    --hash=sha256:6a1b267aa90cac58ac3a765d067950e7dbbf75b1da07e895d1f594193a40a38b \
    --hash=sha256:9c443e7324ba5b85070c4a818ade28bfabedf16ea10206da1132edaa6dda237e
six==1.11.0 \
    --hash=sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9 \
    --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb
urllib3==1.22 \
    --hash=sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b \
    --hash=sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f \
    # via requests

diff:

1,6d0
< #
< # This file is autogenerated by pip-compile
< # To update, run:
< #
< #    pip-compile --generate-hashes --output-file requirements.txt requirements_to_freeze.txt
< #
69a64,68
> enum34==1.1.6 ; python_version < "3.4" \
>     --hash=sha256:2d81cbbe0e73112bdfe6ef8576f2238f2ba27dd0d55752a776c41d38b7da2850 \
>     --hash=sha256:644837f692e5f550741432dd3f223bbb9852018674981b1664e5dc339387588a \
>     --hash=sha256:6bd0f6ad48ec2aa117d3d141940d484deccda84d4fcd884f5c3d93c23ecd8c79 \
>     --hash=sha256:8ad8c4783bf61ded74527bffb48ed9b54166685e4230386a9ed9b1279e2df5b1
73a73,75
> ipaddress==1.0.19 \
>     --hash=sha256:200d8686011d470b5e4de207d803445deee427455cd0cb7c982b68cf82524f81 \
>     # via cryptography
100a103
>

But still the same error.

zuBux commented 5 years ago

Ran into the same issue today, updating pip and running

pip install --no-cache-dir -r requirements.txt

solved it for me