Can't verify hashes for these requirements because we don't have a way to hash version control repositories

Question

I have the following requirements file:

...
sqlalchemy==1.2.3 --hash=sha256:9e9ec143e2e246f385cfb2de8daa89d2fa466279addcb7be9e102988fdf33d24
werkzeug==0.14.1 --hash=sha256:d5da73735293558eb1651ee2fddc4d0dedcfa06538b8813a2e20011583c9e49b  
git+ssh://gitlab.domain.com/private_pkg.git#egg=private_pkg

Installing the project from shell works perfect:

pip install git+ssh://gitlab.domain.com/private_pkg.git#egg=private_pkg

but trying to install it from the requirements file raises this error:

Can't verify hashes for these requirements because we don't have a way to hash version control repositories:
    private_pkg from git+ssh://gitlab.domain.com/private_pkg.git#egg=private_pkg (from -r requirements/prod.lock (line 30))

NB: the hashes in the requirement files a generated from pipenv lock -r

score 5 · Accepted Answer · answered Jun 05 '18 at 08:24

The --hash option in pip is all-or-nothing. You either specify none, or need to specify all of them. Packages not hosted on PyPI cannot have a hash, however, which causes the failure. Installing your project with any package with the --hash option set, and you’d see what the problem is.

Newer versions of Pipenv removed hashes from exported requirements.txt altogether to avoid the problem.

Can't verify hashes for these requirements because we don't have a way to hash version control repositories

1 Answers1