Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pipfile.lock hashes change between operating systems

See original GitHub issue

Currently if I lock a Pipfile in OSX and then try to install the lock file in linux it fails as many of the packages seem to have different versions based on the OS, with different hashes

An error occured while installing!
THESE PACKAGES DO NOT MATCH THE HASHES FROM Pipfile.lock!. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    gevent==1.2.1 from https://pypi.python.org/packages/a1/41/65eee925d5fe1e1a83ab75e2e83952515f6789aaf561a8183e4c515b49a6/gevent-1.2.1-cp27-cp27mu-manylinux1_x86_64.whl#md5=8b09f79ffb73bfa47806f2719d0b34f1 (from -r /tmp/tmpvJReOn-requirements.txt (line 6)):
        Expected sha256 f68fa3b23e518ce12f8b14264ba567eb2f8a22923f85257d5043fb81e78dbc43
             Got        5b9ba1abd75ed7e3d667dd52baba60e902ab0de583aa92d5f80c6fecdae06a28

    greenlet==0.4.12 from https://pypi.python.org/packages/fd/b8/dd04dd0ce13ba7412eac94f6e0456e26e45d0e1df5b8019fb15832d850b0/greenlet-0.4.12-cp27-cp27mu-manylinux1_x86_64.whl#md5=1719cc1f62dd52fd5af1ee4dc38c83d2 (from -r /tmp/tmpvJReOn-requirements.txt (line 21)):
        Expected sha256 e4c99c6010a5d153d481fdaf63b8a0782825c0721506d880403a3b9b82ae347e
             Got        21232907c8c26838b16915bd8fbbf82fc70c996073464cc70981dd4a96bc841c

    cryptography==1.7.2 from https://pypi.python.org/packages/99/df/71c7260003f5c469cec3db4c547115df39e9ce6c719a99e067ba0e78fd8a/cryptography-1.7.2.tar.gz#md5=fade66de437392ed1ba6980768626204 (from -r /tmp/tmpvJReOn-requirements.txt (line 24)):
        Expected sha256 64c875d0384c8c1dc6134fc7ddcfe39b09ea9d5bb2c7616792006e83d85db52c
             Got        878cb68b3da3d493ffd68f36db11c29deee623671d3287c3f8d685117ffda9a9

    billiard==3.3.0.23 from https://pypi.python.org/packages/64/a6/d7b6fb7bd0a4680a41f1d4b27061c7b768c673070ba8ac116f865de4e7ca/billiard-3.3.0.23.tar.gz#md5=6ee416e1e7c8d8164ce29d7377cca6a4 (from -r /tmp/tmpvJReOn-requirements.txt (line 26)):
        Expected sha256 c0cbe8d45ba8d8213ad68ef9a1881002a151569c9424d551634195a18c3a4160
             Got        692a2a5a55ee39a42bcb7557930e2541da85df9ea81c6e24827f63b80cd39d0b

    cffi==1.9.1 from https://pypi.python.org/packages/5f/bc/9fd2ce704560d2be1b13fe8939bca4941c8cf60e7fc97a0abd73edd44686/cffi-1.9.1-cp27-cp27mu-manylinux1_x86_64.whl#md5=dd6e35f133ad90e18cfdb44e0aa7d62b (from -r /tmp/tmpvJReOn-requirements.txt (line 48)):
        Expected sha256 d3e3063af1fa6b59e255da9a812891cdaf24b90fbaf653c02797871069b7c4c9
             Got        9163f7743cf9991edaddf9cf886708e288fab38e1b9fec9c41c15c85c8f7f147

Issue Analytics

State:
Created 7 years ago
Reactions:3
Comments:20 (8 by maintainers)

Top GitHub Comments

25reactions

mixxorzcommented, Feb 28, 2017

Is this something you’re planning on fixing? This essentially means anyone who doesn’t develop on Linux won’t be able to deploy their applications without creating a new lock file for the production environment, which kind of defeats the purpose of the lock file.

13reactions

jacebrowningcommented, Feb 28, 2017

Gemfile.lock does not include hashes of Gems installed from package repositories, but does include SHAs from dependencies installed from source. If I am unable to develop on one system and deploy on another, than Pipfile.lock serves no purpose for me.

Top Results From Across the Web

Basic Usage of Pipenv - Read the Docs

By default, the Pipfile.lock will be generated with the sha256 hashes of each downloaded package. This will allow pip to guarantee you're installing...

Pipfile Hash Creation - python - Stack Overflow

While the current release of pipenv only accepts sha256 hashes, it loads package URLs from a cache and writes those cached URLs' hashes...

Advanced Usage of Pipenv - Python Packaging Authority

Dependencies of wheels provided in a Pipfile will not be captured by $ pipenv lock . There are some known issues with using...

Advanced Usage of Pipenv — pipenv 7.7.9 documentation

By default, the Pipfile.lock will be generated with the sha256 hashes of each downloaded package. This will allow pip to guarantee you're installing...

pipenv Documentation - Read the Docs

Generates and checks file hashes for locked dependencies when installing from Pipfile.lock. • Automatically install required Python version when pyenv is ...