DEVHIDE
Login Or Sign up

Why did my pypi choose a tarball hash yesterday vs now its using a wheel hash?

133 Views Asked by At

After the new version for python-crontab (2.7.0) got uploaded yesterday, my pipeline builds started to fail because there was a new hash for the same old pinned version (2.6.0). Local builds fail too with no code changes on my end. Simply updating the lockfile does resolve this but I thought the purpose of the hashes was to certify authenticity of the packages you are getting matches a previous version aka prevent binary distrubition/supply-chain hijacking using signatures.

#0 18.96 [pipenv.exceptions.InstallError]:   Using cached python_crontab-2.6.0-py3-none-any.whl (25 kB)
#0 18.96 [pipenv.exceptions.InstallError]: ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
#0 18.96 [pipenv.exceptions.InstallError]:     python-crontab==2.6.0 from https://files.pythonhosted.org/packages/8a/65/ee4f4db956d14b42aa6cf0dbd0b77217a206484b99f1d4aa11326cd3952a/python_crontab-2.6.0-py3-none-any.whl (from -r /tmp/pipenv-om9jbtdi-requirements/pipenv-0ytg305b-hashed-reqs.txt (line 80)):
#0 18.96 [pipenv.exceptions.InstallError]:         Expected sha256 1e35ed7a3cdc3100545b43e196d34754e6551e7f95e4caebbe0e1c0ca41c2f1b
#0 18.96 [pipenv.exceptions.InstallError]:              Got        f308a64b8b1d072da4a235e9320398a242e92d080c1d8143bd0c600b24e160f8
#0 18.96 ERROR: Couldn't install package: [omitted for length]

Looking at wheel hash:

https://pypi.org/project/python-crontab/2.6.0/#copy-hash-modal-556e5941-9a7b-49bb-8d72-bd7d824f8614 f308a64b8b1d072da4a235e9320398a242e92d080c1d8143bd0c600b24e160f8

vs tar.gz hash:

https://pypi.org/project/python-crontab/2.6.0/#copy-hash-modal-811f8508-00b8-4437-9256-13cdb7f532df 1e35ed7a3cdc3100545b43e196d34754e6551e7f95e4caebbe0e1c0ca41c2f1b

What am I missing?

Error msg with my pipeline command -- this has worked for years.

------
failed to solve: executor failed running [/bin/sh -c pipenv install --dev --system --deploy]: exit code: 1

Exited with code exit status 17

My lockfile:

        "python-crontab": {
            "hashes": [
                "sha256:1e35ed7a3cdc3100545b43e196d34754e6551e7f95e4caebbe0e1c0ca41c2f1b"
            ],
            "index": "pypi",
            "version": "==2.6.0"
        },
pip pypi pipenv pipfile
Original Q&A
0

There are 0 best solutions below

Related Questions in PIP

Related Questions in PYPI

Related Questions in PIPENV

Related Questions in PIPFILE

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.