If you get an error like
pip: error: no such option: --hash, you are using
too old a version of Pip. Please upgrade to Pip 8 or above.
If you get an error like this, the solution is harder:
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them. alabaster==0.7.7 from https://pypi.python.org/packages/py2.py3/a/alabaster/alabaster-0.7.7-py2.py3-none-any.whl Expected sha256 d57602b3d730c2ecb978a213face0b7a16ceaa4a263575361bd4fd9e2669a544 Got xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Normandy pins requirements with both a package version, and also a package hash.
This gives reproducibility in builds. If you are sure that there is a good
reason for your packages to have a different hash, add another hash line to
requirements/default.txt for the requirement in question, like this:
alabaster==0.7.7 \ --hash d57602b3d730c2ecb978a213face0b7a16ceaa4a263575361bd4fd9e2669a544 \ --hash xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
A good reason for the hash to be different is if you use a platform that isn’t covered by the existing hashes for a package that has wheels.