Feature request: use --hash to match correct file

[bennuttall]

What's the problem this feature will solve?

When a package includes hashes for their dependencies, and the user is using a third-party repo as their additional index, pip may choose to use a file from the additional index rather than PyPI (e.g. if the third party provides a wheel and PyPI doesn't), in which case the hash will not match and the installation will fail. If a matching hash is required, and the file with the required hash is available, this file should take priority even if it is usually of lower presedence to pip (i.e. bdist vs sdist).

Describe the solution you'd like

I suggest that when a hash is specified, pip should only attempt to install a file with a matching hash, even when alternative otherwise suitable files are available.

Scenario:

(using 6-character hashes for brevity)

• Index: pypi.org
• Additional index: piwheels.org
• pypi.org provides package-1.0.0-none-any.whl with hash abcdef
• piwheels.org provides package-1.0.0.tar.gz with hash beefed

Example (current):

$ pip install package==1.0.0 --hash=sha256:abcdef -v
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting package
  2 location(s) to search for versions of package:
  * https://pypi.org/simple/package/
  * https://www.piwheels.org/simple/package/
...
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    package==1.0.0 from https://www.piwheels.org/simple/package/package-1.0.0-none-any.whl#sha256=abcdef
        Expected sha256 abcdef
             Got        beefed

Example (proposed):

$ pip install package==1.0.0 --hash=sha256:abcdef -v
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting package
  2 location(s) to search for versions of package:
  * https://pypi.org/simple/package/
  * https://www.piwheels.org/simple/package/
...
Downloading https://files.pythonhosted.org/packages/.../package-1.0.0.tar.gz
...
Successfully installed package

Alternative Solutions

Related to #6394 but a different problem.

Additional context

I maintain a third-party repo at piwheels.org for Raspberry Pi users and we pre-configure /etc/pip.conf in Raspbian to set extra-index-url. If users want to make sure their installation comes from PyPI to match the hash, they have to remove /etc/pip.conf. But it's not obvious that's the case.

See piwheels/piwheels#144

[bcutter]

This would have solved my issue which I needed to work around manually (quite time consuming) :-(

certbot/certbot#6933 (comment)

[cjerdonek]

Is this the same issue? #5874

[bennuttall]

Yes, it seems so. I'll close it and add my support to that one.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.