Python packages hash not matching whilst installing using pip package fails hash check

[fti-sfuke]

Description

The following requirements package fails to install
pip3 install boto3

With package fails hash check error
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.

Expected behavior

boto3 packages must be installed with pip.

pip version

23.1.2

Python version

3.7

OS

Debian GNU/Linux 10 (buster)

How to Reproduce

1. Install boto3 package
   root@buildhost:/mnt# pip3 install boto3

2. package fails, a hash check error occurred.

    ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    botocore<1.34.0,>=1.33.7 from https://www.piwheels.org/simple/botocore/botocore-1.33.7-py3-none-any.whl#sha256=afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642 (from boto3):
        Expected sha256 afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642
             Got        7985da9ee5f298d54d551add307b34b22a26a8f43847bb6141fc61ca3b5af3c5

Output

root@buildhost:/mnt# pip3 install boto3
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting boto3
  Using cached https://www.piwheels.org/simple/boto3/boto3-1.33.7-py3-none-any.whl (136 kB)
Collecting botocore<1.34.0,>=1.33.7 (from boto3)
  Downloading https://www.piwheels.org/simple/botocore/botocore-1.33.7-py3-none-any.whl (11.8 MB)
     ━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.1/11.8 MB 66.4 kB/s eta 0:02:11
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    botocore<1.34.0,>=1.33.7 from https://www.piwheels.org/simple/botocore/botocore-1.33.7-py3-none-any.whl#sha256=afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642 (from boto3):
        Expected sha256 afd25654101b8d13a01309fe7163009626a8e85ebcb0c6cabf4001bbfbb1c642
             Got        7985da9ee5f298d54d551add307b34b22a26a8f43847bb6141fc61ca3b5af3c5

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[agronholm]

Are you saying that pip3 on Debian Buster installs wheels by default from www.piwheels.org/simple?
I tried this with Docker and couldn't reproduce the problem. What requirements file is that error referring to?

[pfmoore]

You are missing a lot of information necessary to reproduce this issue. As @agronholm says, something (possibly a config file or an environment variable) is directing pip to look at www.piwheels.org/simple. You need to tell us what that is. Also, the error refers to a requirements file but your command doesn't include one. Why is pip looking at a requirements file?

Please reduce this issue to a reproducible example, with all of the necessary setup included in the instructions.

[gegnew]

I'm also having this issue, actually. I'll follow up if I learn anything poking around

[agronholm]

Perhaps you would like to give some details then?

[pettyalex]

Hey, thank you for opening this issue @fti-sfuke, it helped me track down the problem:

Raspberry Pi OS ships with an /etc/pip.conf that includes piwheels.org by default, so hashes won't match wheels published from pypi.org:

[global]
extra-index-url=https://www.piwheels.org/simple

I commented out the line and solved this. This is a bad default, in my opinion, especially for the ARM64 raspberry Pis. I'm more sympathetic for the case for this on 32-bit OSes. I'm going to see if I can ask the Rasberry Pi people to remove this for 64-bit.

[ichard26]

There is nothing actionable or fixable here. It is a known issue that pip will report an interrupted download as a hash failure, but that's already tracked as #11153. Otherwise, the hash failure really should be treated as if your distributions are unexpected and requiring verification.