What This Error Means
You are using hash-checking mode (--require-hashes), but the downloaded file's hash doesn't match, or some requirements are missing hashes.
How to Fix It
- If you intentionally changed versions, regenerate hashes for the new artifacts from a trusted source and update the requirements file.
- Ensure every requirement installed under
--require-hasheshas at least one valid hash entry (pip requires hashes for all requirements in this mode). - Retry with
--no-cache-dirto rule out corrupted cache artifacts. - If you're using an internal mirror, verify it serves the correct artifacts and isn't rewriting files.
Why It Happens
- A package version was updated in the requirements file but its hashes were not updated.
- The index/mirror served a different file than the one the hashes were generated against.
- A cached download is corrupt or truncated (less common, but possible).
- An attacker or misconfigured proxy/mirror altered the served artifact.
How to Verify
- Re-run
python -m pip install --require-hashes -r requirements.txtand confirm installs complete. - Verify the installed versions match what you pinned (
python -m pip freeze).
Manual hash-checking triage
- Identify which requirement line pip says has mismatched/missing hashes.
- Check whether you changed a pinned version without updating its
--hash=lines. - Confirm you're using the expected index/mirror (a different mirror can serve different files).
Common CLI Output
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes.Hashes are required in --require-hashes mode (implicitly on when a hash is specified for any package). These requirements were missing hashes, leaving them open to tampering.How pip hash-checking works
- In
--require-hashesmode, pip verifies that every downloaded distribution matches an allowed hash from your requirements file. - If any package is missing a hash entry, pip refuses to install it (because it would be unverified).
- If a downloaded artifact's hash differs, pip assumes tampering or a changed file and aborts.
Prevention Tips
- Generate hashed requirements in a controlled environment and treat the file as an integrity lock.
- Use a single trusted mirror for CI to reduce artifact variance.
- Avoid manually editing hash lines, use tooling/workflows to regenerate them.
Where This Can Be Triggered
github.com/pypa/pip/blob/25.3/src/pip/_internal/exceptions.py (missing hashes)
When --require-hashes is enabled and a requirement is missing hashes, pip reports a HashMissing error with this header text. - GitHub
class HashMissing(HashError):
"""A hash was needed for a requirement but is absent."""
order = 2
head = (
"Hashes are required in --require-hashes mode, but they are "
"missing from some requirements. Here is a list of those "
"requirements along with the hashes their downloaded archives "
"actually had. Add lines like these to your requirements files to "
"prevent tampering. (If you did not enable --require-hashes "
"manually, note that it turns on automatically when any package "
"has a hash.)"
)
github.com/pypa/pip/blob/25.3/src/pip/_internal/exceptions.py (hash mismatch)
When the downloaded artifact hash doesn't match an allowed hash, pip reports a HashMismatch error with this header text. - GitHub
class HashMismatch(HashError):
"""
Distribution file hash values don't match.
:ivar package_name: The name of the package that triggered the hash
mismatch. Feel free to write to this after the exception is raise to
improve its error message.
"""
order = 4
head = (
"THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS "
"FILE. If you have updated the package versions, please update "
"the hashes. Otherwise, examine the package contents carefully; "
"someone may have tampered with them."
)