Pipfile.lock contains md5 hashes on my docker build
See original GitHub issueIssue description
I have a problem with pipfile.lock and I can’t find out what is causing it.
On my local machine, which is a Windows 10 if I remove Pipfile.lock and issue a pipenv install
I get sha256 hashes in Pipfile.lock, as seen here:
"coloredlogs": {
"hashes": [
"sha256:14525820de1f749f836763a6631a48d4854f59160c42d4e81a3ecb625514615c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==14.101"
},
However, on my build machine, which is a Linux server building a docker container with Python 3.8.6 I get the following error when running pipenv install
Updated Pipfile.lock (6c5e70)!
Installing dependencies from Pipfile.lock (6c5e70)...
An error occurred while installing coloredlogs==14.101; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' --hash=md5:74c9ee3424df05e34f093b130e0fea9f! Will try again.
An error occurred while installing petpcomms==0.1.12 --hash=md5:04d97ee07edaaacab3cd72268b0aebae! Will try again.
An error occurred while installing petpmvcs==0.1.50 --hash=md5:5e111dbd663627bf0586c76024362d65! Will try again.
Installing initially failed dependencies...
[InstallError]: File "/usr/local/lib/python3.8/site-packages/pipenv/cli/command.py", line 232, in install
[InstallError]: retcode = do_install(
[InstallError]: File "/usr/local/lib/python3.8/site-packages/pipenv/core.py", line 2051, in do_install
[InstallError]: do_init(
[InstallError]: File "/usr/local/lib/python3.8/site-packages/pipenv/core.py", line 1304, in do_init
[InstallError]: do_install_dependencies(
[InstallError]: File "/usr/local/lib/python3.8/site-packages/pipenv/core.py", line 899, in do_install_dependencies
[InstallError]: batch_install(
[InstallError]: File "/usr/local/lib/python3.8/site-packages/pipenv/core.py", line 796, in batch_install
[InstallError]: _cleanup_procs(procs, failed_deps_queue, retry=retry)
[InstallError]: File "/usr/local/lib/python3.8/site-packages/pipenv/core.py", line 703, in _cleanup_procs
[InstallError]: raise exceptions.InstallError(c.dep.name, extra=err_lines)
[pipenv.exceptions.InstallError]: Usage: pip [options]
[pipenv.exceptions.InstallError]:
[pipenv.exceptions.InstallError]: ERROR: Invalid requirement: coloredlogs==14.101; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' --hash=md5:74c9ee3424df05e34f093b130e0fea9f
[pipenv.exceptions.InstallError]: pip: error: Allowed hash algorithms for --hash are sha256, sha384, sha512.
ERROR: Couldn't install package: coloredlogs
Expected result
Hashes should be created in sha256 format on the Linux Docker Python image, similar to the way they’re created on Windows.
Actual result
It looks like the Pipfile.lock uses md5 hashes in my docker container.
Steps to replicate
Use a docker container with Python 3.8.6 Install latest pip (already up to date for now) Install latest pipenv
$ pipenv --support
Pipenv version: '2020.11.4'
Pipenv location: '/usr/local/lib/python3.8/site-packages/pipenv'
Python location: '/usr/local/bin/python'
Python installations found:
3.8.6
:/usr/local/bin/python3
3.8.6
:/usr/local/bin/python3.8
3.7.3
:/usr/bin/python3
3.7.3
:/usr/bin/python3.7
3.7.3
:/usr/bin/python3.7m
2.7.16
:/usr/bin/python2
2.7.16
:/usr/bin/python2.7
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.8.6',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '4.12.14-122.32-default',
'platform_system': 'Linux',
'platform_version': '#1 SMP Wed Aug 5 12:59:08 UTC 2020 (477c426)',
'python_full_version': '3.8.6',
'python_version': '3.8',
'sys_platform': 'linux'}
System environment variables:
HTTPS_PROXY
HOSTNAME
PYTHON_PIP_VERSION
PETP_ENVIRONMENT
HOME
GPG_KEY
PYTHON_GET_PIP_URL
PATH
LANG
PYTHON_VERSION
PWD
PYTHON_GET_PIP_SHA256
HTTP_PROXY
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables: Debug–specific environment variables:PATH
:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG
:C.UTF-8
PWD
:/usr/src/app
Contents of Pipfile
(‘/usr/src/app/Pipfile’):
[[source]]
name = "Artifactory"
url = "https://highway.porsche.com/artifactory/api/pypi/pypi-all/simple"
verify_ssl = true
[dev-packages]
pytest = "*"
pytest-bdd = "*"
pytest-mock = "*"
prospector = ">=1.3.0.dev4"
pytest-cov = "*"
[packages]
alembic = "*"
cachetools = "*"
coverage = "*"
dataclasses-json = "*"
ldap3 = "*"
petpcomms = "*"
petpmvcs = "*"
pinject = "*"
pyaml = "*"
python-dateutil = "*"
pymongo = "*"
argon2-cffi = "*"
[requires]
python_version = "3.8"
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:19 (4 by maintainers)
Top GitHub Comments
I observed
md5
hashes getting into myPipfile.lock
files on a number of packages coming from an Artifactory source, even after deleting the lock file. The behavior was consistent using older versions of pipenv,pipenv==2020-11-4
, and themaster
branch, which included #4519.Ultimately, the source was a number of md5 hashes cached in the
~/.cache/pipenv/hash-cache/
folder. Deleting them solved my problem and I’m now gettingsha256
hashes in myPipfile.lock
.To clear the caches:
~/.cache/pipenv/hash-cache
for Linux~/Library/Cache/pipenv/hash-cache
for macOS%USERPROFILE%\AppData\Local\pipenv\pipenv\Cache\hash-cache
for Windows