Error: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE

Question

When I tried to install libraries using pip install, sometimes this error message come up.

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.

This error comes up when I am trying to build multiple images using docker-compose V2.

What I have done:

1. pip install --no-cache-dir -r requirements.txt
2. upgrading pip
3. trying the old version of pip (20.0.2).
4. change the version of the affected package.
5. changing the dns

However, it still comes up randomly. The libraries that are referred to the error message also keep changing.

Does anyone know the reason for this issue?

Answer 1

This is pips integrated checking mechanism that is automatically checking the integrity of the downloaded package.

You can check yourself (by clicking view in the has column) that the sha256 of the whl file loaded from pypi should be for example this:

7a2c93be4f874fd42541a1330218d2094015993420bf0bd8fbf19c88e6b49c6a

but for example your error says that you got this:

g4dd3fb13afd095a21c7dfd0d2f9bd0a3593c3c78e81ca2f475429490752e7b8

So pip is (for security reasons) not installing the package for you. I would suggest to:

• Check if pip is taking the whl from some tmp directory on your system with an incorrectly downloaded whl file sitting there - If so, try deleting it
• Check if you can install other packages without issues
• Try to manually download the whl file and then check the output of pip hash <whl file> (if it matches the g4dd3fb13af... sha) and if you can do pip install <whl file>

And besides, there was a similar problem for me, I tried it and it worked:

sudo pip install --no-cache-dir `YOUR_PACKAGE_NAME`

Answer 2

If --no-cache-dir is not working for your, perhaps, you cache directory has cached packages from different requirements files. So you might want to try to delete those:

rm ~/.cache/pip -rf (or just specify your env .cache directory).

Answer 3

I had the same problem and it worked for me:

python -m pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org --trusted-host files.pythonhosted.org pip YOUR-PACKAGE

If it doesn't work, try to get the site shown in the error and add before "YOUR-PACKAGE" -> " --trusted-host YOUR-ERROR-SITE"

In the image above the website presented to me was

files.pythohosted.org

I just added --trusted-host files.pythohosted.org

If still not successful, try deleting all files in site-packages/_pyinstaller_hooks_contrib and site-packages/Pyinstaller/hooks

Check if there are any files with the name of the package to be installed inside the site-packages folder and delete them

and try install again

Answer 4

I got the problem when installing open3d. the --no-cache-dir method won't work. I just used wget to download the .whl file and install it from localhost. It's a ugly method, but really works. What you need to do is check whether the package works.