hash mismatch error when a wheel has been uploaded to same version since the last lock
See original GitHub issueThis is a fun one. My project depends on pluggy = "^.0.6.0"
, which up until three days ago only had a .tar.gz
release. Then they uploaded some wheels with the same version. I ran a poetry install
today, and it seems that it’s preferring the new .whl files (as it should), but then not realizing that this is a different file from the .tar.gz, so it shouldn’t really be comparing to that old hash.
Here’s the error I’m getting:
- Installing pluggy (0.6.0)
[VenvCommandError]
Command ['pip', 'install', '--no-deps', '-r', '/tmp/pluggy-0.6.0iCCMcYreqs.txt'] errored with the following output:
Collecting pluggy==0.6.0 (from -r /tmp/pluggy-0.6.0iCCMcYreqs.txt (line 1))
Downloading https://files.pythonhosted.org/packages/82/05/43e3947125a2137cba4746135c75934ceed1863f27e050fc560052104a71/pluggy-0.6.0-py2-none-any.whl
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the packag
e contents carefully; someone may have tampered with them.
pluggy==0.6.0 from https://files.pythonhosted.org/packages/82/05/43e3947125a2137cba4746135c75934ceed1863f27e050fc560052104a71/pluggy-0.6.0-py2-none-any.whl#sha2
56=d345c8fe681115900d6da8d048ba67c25df42973bda370783cd58826442dcd7c (from -r /tmp/pluggy-0.6.0iCCMcYreqs.txt (line 1)):
Expected sha256 7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff
Got d345c8fe681115900d6da8d048ba67c25df42973bda370783cd58826442dcd7c
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
"Volume hash mismatch" error on Monterey
Yup. This is the issue, my machine seems can't open any apps after the notification appeared. I've tried to download 12.3 update but...
Read more >Python packages hash not matching whilst installing using ...
This error suggests that you're using pip's hash checking mode and may be trying to upgrade a package's version without upgrading the hash...
Read more >“Volume Hash Mismatch” Error in MacOS Monterey
For some users, the “Volume Hash Mismatch” error is accompanied by a significant increase in instability on the Mac running macOS Monterey, ...
Read more >Release and Version History — pipenv 2022.12.20.dev0 ...
Vendor in pip==22.3.1 which is currently the latest version of pip . ... where pipenv check command has been broken in the published...
Read more >there are no users on this volume to recover monterey
1 Beta last week 11/29… at that time the Beta version was in the App Store. ... APFS filesystem volume hash mismatch, followed...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
No, it won’t break.
poetry
store all the hashes in the lock file, regardless of which platform the wheels are targeted for.In fact, the lock file stores all the information needed as long as it’s compatible with what has been declared in the
pyproject.toml
file. This was an early decision to be sure that lock files can be shared between systems and platforms.In this particular case, since new distributions have been uploaded new hashes are now available. But due to the way
poetry
caches release information the new hashes are not picked up.However, I don’t think this warrant changing the dependency resolution process since this is extremely rare and the future
cache:clear
command will take care of it if it were to happen again.Yes I encountered this as well. The maintainers of
pluggy
reuploaded files and tampered with a previous release (which PyPI should prevent in my opinion) which leads to this error.poetry
caches a lot of information to avoid hitting PyPI each time when resolving dependencies so it won’t be able to pick up the new hashes.This case is rare, fortunately, so for the time being you can add the new hashes to your
pyproject.lock
.That being said, the next
0.9.0
release will introduce a newcache:clear
command to clear specific hashes when this occur. This would look like this:And unfortunately your proposal won’t work since the file downloaded on your machine might be different from the one downloaded on someone else’s due to wheels targeted at different systems and platforms. That’s why when
poetry
downloads files it passes all hashes to check.