search

pypa / pip

The Python package installer
https://pip.pypa.io/
MIT License
9.49k stars 3.01k forks source link

Python packages hash not matching whilst installing using pip package fails hash check #12424

Open fti-sfuke opened 10 months ago

fti-sfuke commented 10 months ago

Description

The following requirements package fails to install pip3 install boto3

With package fails hash check error ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.

Expected behavior

boto3 packages must be installed with pip.

pip version

23.1.2

Python version

3.7

OS

Debian GNU/Linux 10 (buster)

How to Reproduce

  1. Install boto3 package root@buildhost:/mnt# pip3 install boto3

  2. package fails, a hash check error occurred.

    
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
botocore<1.34.0,>=1.33.7 from https://www.piwheels.org/simple/botocore/botocore-1.33.7-py3-none-any.whl#sha256=afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642 (from boto3):
    Expected sha256 afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642
         Got        7985da9ee5f298d54d551add307b34b22a26a8f43847bb6141fc61ca3b5af3c5

### Output

root@buildhost:/mnt# pip3 install boto3 Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple Collecting boto3 Using cached https://www.piwheels.org/simple/boto3/boto3-1.33.7-py3-none-any.whl (136 kB) Collecting botocore<1.34.0,>=1.33.7 (from boto3) Downloading https://www.piwheels.org/simple/botocore/botocore-1.33.7-py3-none-any.whl (11.8 MB) ━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.1/11.8 MB 66.4 kB/s eta 0:02:11 ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them. botocore<1.34.0,>=1.33.7 from https://www.piwheels.org/simple/botocore/botocore-1.33.7-py3-none-any.whl#sha256=afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642 (from boto3): Expected sha256 afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642 Got 7985da9ee5f298d54d551add307b34b22a26a8f43847bb6141fc61ca3b5af3c5



### Code of Conduct

- [X] I agree to follow the [PSF Code of Conduct](https://www.python.org/psf/conduct/).
agronholm commented 10 months ago

Are you saying that pip3 on Debian Buster installs wheels by default from www.piwheels.org/simple? I tried this with Docker and couldn't reproduce the problem. What requirements file is that error referring to?

pfmoore commented 10 months ago

You are missing a lot of information necessary to reproduce this issue. As @agronholm says, something (possibly a config file or an environment variable) is directing pip to look at www.piwheels.org/simple. You need to tell us what that is. Also, the error refers to a requirements file but your command doesn't include one. Why is pip looking at a requirements file?

Please reduce this issue to a reproducible example, with all of the necessary setup included in the instructions.

gegnew commented 9 months ago

I'm also having this issue, actually. I'll follow up if I learn anything poking around

agronholm commented 9 months ago

Perhaps you would like to give some details then?

pettyalex commented 6 months ago

Hey, thank you for opening this issue @fti-sfuke, it helped me track down the problem:

Raspberry Pi OS ships with an /etc/pip.conf that includes piwheels.org by default, so hashes won't match wheels published from pypi.org:

[global]
extra-index-url=https://www.piwheels.org/simple

I commented out the line and solved this. This is a bad default, in my opinion, especially for the ARM64 raspberry Pis. I'm more sympathetic for the case for this on 32-bit OSes. I'm going to see if I can ask the Rasberry Pi people to remove this for 64-bit.