Pipenv package hash does not match lock file


We have a lock file which has not changed since April 2021. Recently, we have started seeing the following error on pipenv install --deploy:

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    gunicorn==20.1.0 from https://files.pythonhosted.org/packages/e4/dd/5b190393e6066286773a67dfcc2f9492058e9b57c4867a95f1ba5caf0a83/gunicorn-20.1.0-py3-none-any.whl (from -r /tmp/pipenv-g7_1pdnq-requirements/pipenv-d64a8p6k-hashed-reqs.txt (line 32)):
        Expected sha256 e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8
             Got        9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e

We have opened an issue in the project GitHub https://github.com/benoitc/gunicorn/issues/2889

We believe that it would be unsafe to use this new version without confirmation it is correct and safe in case someone has maliciously updated the package in the package repository.

Is there a way we can grab the wheel file from a previous docker build and force that to be used for the time being so we can safely build with the existing version and checksum?


Asked By: Alex Bailey



Thanks to @Ouroborus for the answer:

e0... is for the .tar.gz (source) package, 9d... is for the .whl package. (See the "view hashes" links on PyPI’s gunicorn files page) I’m not sure why your systems are choosing to download the wheel now when they downloaded the source previously. However, those are both valid hashes for that module and version.

Answered By: Alex Bailey
Categories: questions Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.