Getting "ERROR: In --require-hashes mode, all requirements must have their versions pinned with"

Question

I want to use SHA256 hashes for installing pip packages and I have all dependencies pinned in requirements.in like this

apache-beam[gcp]==2.38.0
beautifulsoup4==4.10.0
bleach==4.1.0
certifi==2021.5.30
deepdiff==5.8.1
defusedxml==0.7.1
elasticsearch==7.17.0
firebase-admin==5.2.0
future==0.18.2
googledatastore==7.0.2
google-cloud-storage==2.1.0
google-auth==1.35.0
google-cloud-dataflow-client==0.3.1
google-cloud-logging==3.0.0
google-cloud-ndb==1.11.1
google-cloud-secret-manager==2.12.4
google-cloud-tasks==2.7.2
google-cloud-translate==3.6.1
gunicorn==20.1.0
html5lib==1.1
mailchimp3==3.0.15
mutagen==1.45.1
pillow==9.0.1
pylatexenc==2.10
pytest==6.2.5
PyYAML==6.0
redis==3.5.3
requests==2.26.0
requests-mock==1.9.3
requests-toolbelt==0.9.1
result==0.6.0
rsa==4.7.2
simplejson==3.17.5
six==1.16.0
soupsieve==2.3.1
typing-extensions==3.10.0.2
urllib3==1.26.7
webapp2==3.0.0b1
webencodings==0.5.1

FYI, I am using pip 22.1.1, python 3.8.15 and pip-compile 6.6.2. To generate hash, I used pip-compile --generate-hashes requirements.in and then pip install --require-hashes -r requirements.txt to enable hash verification. But I am getting error like this:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    google-api-core[grpc]<3.0.0dev,>=1.22.1 from https://files.pythonhosted.org/packages/f7/24/a17e75c733609dce285a2dae6f56837d69a9566963c9d1cab96d788546c8/google_api_core-2.11.0-py3-none-any.whl (from firebase-admin==5.2.0->-r requirements.txt (line 179))

Please help me to understand the reason of this error and how to resolve it. Thanks

I am expecting to install the dependencies(with hash verification) without any error.

Answer 1

It still seems like an issue with pip and I found this issue exactly stating what I am trying to point out. In those error logs of my question, pip installed the latest version of google-api-core when the version was already pinned. It's more likely because of that extra grpc.

Two solutions worked for me.

1. Using --no-deps which will prevent pip to look for dependencies at the installation time. I think it makes sense since dependencies are already resolved while generating the requirements file. The command will be

pip install --require-hashes --no-deps -r requirements.txt

2. Using --use-deprecated=legacy-resolver option and the command will be

pip install --require-hashes --use-deprecated=legacy-resolver -r requirements.txt

Answer 2

Alternative workaround: just add the indirect dependency to be a direct dependency.

For example, given the error

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    aiohttp>=3.7.4 from https://files.pythonhosted.org/packages/69/8d/769a1e9cdce1c9774dd2edc8f4e94c759256246066e5263de917e5b22a0a/aiohttp-3.9.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (from black==23.12.0->-r docs/rtd_requirements.txt (line 22))

It gets solved by just running

1. pip install aiohttp
   • If you're using poetry, then it's poetry add aiohttp

Source: this fixed that