Use --no-verify-hashes

crates/uv-cli/src/lib.rs

@@ -1263,9 +1263,12 @@ pub struct PipSyncArgs {
 
     /// Require a matching hash for each requirement.
     ///
-    /// Hash-checking mode is all or nothing. If enabled, _all_ requirements must be provided
-    /// with a corresponding hash or set of hashes. Additionally, if enabled, _all_ requirements
-    /// must either be pinned to exact versions (e.g., `==1.0.0`), or be specified via direct URL.
+    /// By default, uv will verify any available hashes in the requirements file, but will not
+    /// require that all requirements have an associated hash.
+    ///
+    /// When `--require-hashes` is enabled, _all_ requirements must include a hash or set of hashes,
+    /// and _all_ requirements must either be pinned to exact versions (e.g., `==1.0.0`), or be
+    /// specified via direct URL.
     ///
     /// Hash-checking mode introduces a number of additional constraints:
     ///
@@ -1284,31 +1287,24 @@ pub struct PipSyncArgs {
     #[arg(long, overrides_with("require_hashes"), hide = true)]
     pub no_require_hashes: bool,
 
-    /// Validate any hashes provided in the requirements file.
-    ///
-    /// Unlike `--require-hashes`, `--verify-hashes` does not require that all requirements have
-    /// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
-    /// include them.
     #[arg(
         long,
-        env = EnvVars::UV_VERIFY_HASHES,
-        require_equals = true,
-        num_args = 0..=1,
-        default_missing_value = "true",
-        value_parser = clap::builder::BoolishValueParser::new(),
         overrides_with("no_verify_hashes"),
+        hide = true,
     )]
-    pub verify_hashes: Option<bool>,
+    pub verify_hashes: bool,
 
+    /// Disable validation of hashes in the requirements file.
+    ///
+    /// By default, uv will verify any available hashes in the requirements file, but will not
+    /// require that all requirements have an associated hash.
     #[arg(
         long,
-        require_equals = true,
-        num_args = 0..=1,
-        default_missing_value = "true",
+        env = EnvVars::UV_NO_VERIFY_HASHES,
         value_parser = clap::builder::BoolishValueParser::new(),
         overrides_with("verify_hashes"),
     )]
-    pub no_verify_hashes: Option<bool>,
+    pub no_verify_hashes: bool,
 
     /// The Python interpreter into which packages should be installed.
     ///
@@ -1556,9 +1552,12 @@ pub struct PipInstallArgs {
 
     /// Require a matching hash for each requirement.
     ///
-    /// Hash-checking mode is all or nothing. If enabled, _all_ requirements must be provided
-    /// with a corresponding hash or set of hashes. Additionally, if enabled, _all_ requirements
-    /// must either be pinned to exact versions (e.g., `==1.0.0`), or be specified via direct URL.
+    /// By default, uv will verify any available hashes in the requirements file, but will not
+    /// require that all requirements have an associated hash.
+    ///
+    /// When `--require-hashes` is enabled, _all_ requirements must include a hash or set of hashes,
+    /// and _all_ requirements must either be pinned to exact versions (e.g., `==1.0.0`), or be
+    /// specified via direct URL.
     ///
     /// Hash-checking mode introduces a number of additional constraints:
     ///
@@ -1577,31 +1576,24 @@ pub struct PipInstallArgs {
     #[arg(long, overrides_with("require_hashes"), hide = true)]
     pub no_require_hashes: bool,
 
-    /// Validate any hashes provided in the requirements file.
-    ///
-    /// Unlike `--require-hashes`, `--verify-hashes` does not require that all requirements have
-    /// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
-    /// include them.
     #[arg(
         long,
-        env = EnvVars::UV_VERIFY_HASHES,
-        require_equals = true,
-        num_args = 0..=1,
-        default_missing_value = "true",
-        value_parser = clap::builder::BoolishValueParser::new(),
         overrides_with("no_verify_hashes"),
+        hide = true,
     )]
-    pub verify_hashes: Option<bool>,
+    pub verify_hashes: bool,
 
+    /// Disable validation of hashes in the requirements file.
+    ///
+    /// By default, uv will verify any available hashes in the requirements file, but will not
+    /// require that all requirements have an associated hash.
     #[arg(
         long,
-        require_equals = true,
-        num_args = 0..=1,
-        default_missing_value = "true",
+        env = EnvVars::UV_NO_VERIFY_HASHES,
         value_parser = clap::builder::BoolishValueParser::new(),
         overrides_with("verify_hashes"),
     )]
-    pub no_verify_hashes: Option<bool>,
+    pub no_verify_hashes: bool,
 
     /// The Python interpreter into which packages should be installed.
     ///
@@ -2197,12 +2189,14 @@ pub struct BuildArgs {
     #[arg(long, short, env = EnvVars::UV_BUILD_CONSTRAINT, value_delimiter = ' ', value_parser = parse_maybe_file_path)]
     pub build_constraint: Vec<Maybe<PathBuf>>,
 
-    /// Require a matching hash for each build requirement.
+    /// Require a matching hash for each requirement.
+    ///
+    /// By default, uv will verify any available hashes in the requirements file, but will not
+    /// require that all requirements have an associated hash.
     ///
-    /// Hash-checking mode is all or nothing. If enabled, _all_ build requirements must be provided
-    /// with a corresponding hash or set of hashes via the `--build-constraint` argument.
-    /// Additionally, if enabled, _all_ requirements must either be pinned to exact versions
-    /// (e.g., `==1.0.0`), or be specified via direct URL.
+    /// When `--require-hashes` is enabled, _all_ requirements must include a hash or set of hashes,
+    /// and _all_ requirements must either be pinned to exact versions (e.g., `==1.0.0`), or be
+    /// specified via direct URL.
     ///
     /// Hash-checking mode introduces a number of additional constraints:
     ///
@@ -2221,31 +2215,24 @@ pub struct BuildArgs {
     #[arg(long, overrides_with("require_hashes"), hide = true)]
     pub no_require_hashes: bool,
 
-    /// Validate any hashes provided in the build constraints file.
-    ///
-    /// Unlike `--require-hashes`, `--verify-hashes` does not require that all requirements have
-    /// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
-    /// include them.
     #[arg(
         long,
-        env = EnvVars::UV_VERIFY_HASHES,
-        require_equals = true,
-        num_args = 0..=1,
-        default_missing_value = "true",
-        value_parser = clap::builder::BoolishValueParser::new(),
         overrides_with("no_verify_hashes"),
+        hide = true,
     )]
-    pub verify_hashes: Option<bool>,
+    pub verify_hashes: bool,
 
+    /// Disable validation of hashes in the requirements file.
+    ///
+    /// By default, uv will verify any available hashes in the requirements file, but will not
+    /// require that all requirements have an associated hash.
     #[arg(
         long,
-        require_equals = true,
-        num_args = 0..=1,
-        default_missing_value = "true",
+        env = EnvVars::UV_NO_VERIFY_HASHES,
         value_parser = clap::builder::BoolishValueParser::new(),
         overrides_with("verify_hashes"),
     )]
-    pub no_verify_hashes: Option<bool>,
+    pub no_verify_hashes: bool,
 
     /// The Python interpreter to use for the build environment.
     ///

crates/uv-cli/src/options.rs

@@ -19,17 +19,6 @@ pub fn flag(yes: bool, no: bool) -> Option<bool> {
     }
 }
 
-pub fn flag_option(yes: Option<bool>, no: Option<bool>) -> Option<bool> {
-    match (yes, no) {
-        (Some(b), None) => Some(b),
-        (None, Some(b)) => Some(!b),
-        (None, None) => None,
-        (Some(true), Some(false)) => Some(true),
-        (Some(false), Some(true)) => Some(false),
-        (Some(_), Some(_)) => unreachable!("Clap should make this impossible"),
-    }
-}
-
 impl From<RefreshArgs> for Refresh {
     fn from(value: RefreshArgs) -> Self {
         let RefreshArgs {

crates/uv-configuration/src/hash.rs

@@ -9,13 +9,13 @@ pub enum HashCheckingMode {
 
 impl HashCheckingMode {
     /// Return the [`HashCheckingMode`] from the command-line arguments, if any.
-    pub fn from_args(require_hashes: bool, verify_hashes: bool) -> Option<Self> {
-        if require_hashes {
+    pub fn from_args(require_hashes: Option<bool>, verify_hashes: Option<bool>) -> Option<Self> {
+        if require_hashes == Some(true) {
             Some(Self::Require)
-        } else if verify_hashes {
-            Some(Self::Verify)
-        } else {
+        } else if verify_hashes == Some(false) {
             None
+        } else {
+            Some(Self::Verify)
         }
     }
 

crates/uv-static/src/env_vars.rs

@@ -167,8 +167,9 @@ impl EnvVars {
     /// Equivalent to the `--token` argument for self update. A GitHub token for authentication.
     pub const UV_GITHUB_TOKEN: &'static str = "UV_GITHUB_TOKEN";
 
-    /// Equivalent to the `--verify-hashes` argument. Verifies included hashes.
-    pub const UV_VERIFY_HASHES: &'static str = "UV_VERIFY_HASHES";
+    /// Equivalent to the `--no-verify-hashes` argument. Disables hash verification for
+    /// `requirements.txt` files.
+    pub const UV_NO_VERIFY_HASHES: &'static str = "UV_VERIFY_HASHES";
 
     /// Equivalent to the `--allow-insecure-host` argument.
     pub const UV_INSECURE_HOST: &'static str = "UV_INSECURE_HOST";

crates/uv/src/settings.rs

@@ -8,7 +8,7 @@ use url::Url;
 use uv_cache::{CacheArgs, Refresh};
 use uv_cli::comma::CommaSeparatedRequirements;
 use uv_cli::{
-    options::{flag, flag_option, resolver_installer_options, resolver_options},
+    options::{flag, resolver_installer_options, resolver_options},
     AuthorFrom, BuildArgs, ExportArgs, PublishArgs, PythonDirArgs, ToolUpgradeArgs,
 };
 use uv_cli::{
@@ -1539,7 +1539,7 @@ impl PipSyncSettings {
                     target,
                     prefix,
                     require_hashes: flag(require_hashes, no_require_hashes),
-                    verify_hashes: flag_option(verify_hashes, no_verify_hashes),
+                    verify_hashes: flag(verify_hashes, no_verify_hashes),
                     no_build: flag(no_build, build),
                     no_binary,
                     only_binary,
@@ -1688,7 +1688,7 @@ impl PipInstallSettings {
                     python_version,
                     python_platform,
                     require_hashes: flag(require_hashes, no_require_hashes),
-                    verify_hashes: flag_option(verify_hashes, no_verify_hashes),
+                    verify_hashes: flag(verify_hashes, no_verify_hashes),
                     ..PipOptions::from(installer)
                 },
                 filesystem,
@@ -2003,8 +2003,8 @@ impl BuildSettings {
                 .filter_map(Maybe::into_option)
                 .collect(),
             hash_checking: HashCheckingMode::from_args(
-                flag(require_hashes, no_require_hashes).unwrap_or_default(),
-                flag_option(verify_hashes, no_verify_hashes).unwrap_or(true),
+                flag(require_hashes, no_require_hashes),
+                flag(verify_hashes, no_verify_hashes),
             ),
             python: python.and_then(Maybe::into_option),
             refresh: Refresh::from(refresh),
@@ -2642,9 +2642,9 @@ impl PipSettings {
             link_mode: args.link_mode.combine(link_mode).unwrap_or_default(),
             hash_checking: HashCheckingMode::from_args(
                 args.require_hashes
-                    .combine(require_hashes)
-                    .unwrap_or_default(),
-                args.verify_hashes.combine(verify_hashes).unwrap_or(true),
+                    .combine(require_hashes),
+                args.verify_hashes
+                    .combine(verify_hashes),
             ),
             python: args.python.combine(python),
             system: args.system.combine(system).unwrap_or_default(),