Packages Do Not Match the Hashes Pip Error

Anže's Blog

The 15-Year-Old iptables Rule That Broke My DNS Fedidevs 9h Outage Postmortem Letting Claude Upgrade My Raspberry Pi Agents Day Lisbon DjangoCon Europe 2026 How to Safely Update Your Dependencies Speeding Up Django Startup Times with Lazy Imports Typing Your Django Project in 2026 Claude Fixes User Bug Jekyll to Hugo Migration Advent of Code 2025 🎄 Django bulk_update Memory Issue Migrating Gunicorn to Granian Disable Network Requests When Running Pytest Disable Runserver Warning in Django 5.2 Autogenerating og:images with Jekyll Power Outages and Gunicorn PID Files UV with Django Go-like Error Handling Makes No Sense in JavaScript or Python Gotchas with SQLite in Production Fedidevs Dev Update #2 Django SQLite Production Config Django Streaming HTTP Responses Deploying a Django Project to My Raspberry Pi (Video) Thoughts on Code Reviews Django SQLite Benchmark Django, SQLite, and the Database Is Locked Error No Downtime Deployments with Gunicorn SQLite Write-Ahead Logging Writing a Pytest Plugin Fedidevs Dev Update #1 Django-TUI: A Text User Interface for Django Commands Automate Hatch Publish with GitHub Actions Words TUI: App for Daily Writing Textual App Auto Reload RDS Blue/Green Deployments Fly.io Certificate Renewal Using Testing Library with Selenium in Python The Fastest Way to Build a Read-only JSON API import __hello__ Enum with `str` or `int` Mixin Breaking Change in Python 3.11 Your Code Doesn't Have to Be Perfect Fixing _SixMetaPathImporter.find_spec() Not Found Warnings in Python 3.10 Upgrading Django App to Python 3.10 Integer Overflow Error in a Python Application Python Dependency Management MySQL Performance Degradation in Django 3.1 New Features in Python 3.8 and 3.9 The Code Review Batch Size The Code Review Bottleneck

Anže Pečar · 2024-08-02 · via Anže's Blog

Yesterday, I received a hashes mismatch error when trying to install the latest Django release candidate on my Raspberry Pi:

(.venv) home@raspberrypi:~/fedidevs $ pip install 'django==5.1rc1'
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting django==5.1rc1
  Downloading https://www.piwheels.org/simple/django/Django-5.1rc1-py3-none-any.whl (8.2 MB)
     ━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.5/8.2 MB 66.4 kB/s eta 0:01:26
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    django==5.1rc1 from https://www.piwheels.org/simple/django/Django-5.1rc1-py3-none-any.whl#sha256=c4757c4077938e63f9f54d781f77f5673f37469ee312b266d69dc79508ccfd3a:
        Expected sha256 c4757c4077938e63f9f54d781f77f5673f37469ee312b266d69dc79508ccfd3a
             Got        c20395a7e061523712f413ae17beafb5f2213faa172f960a9b1b158517b41eac

At first, I thought the problem was with piwheels because installing through PyPI didn’t raise the same error, but this turned out to be a red herring. The real issue was a network error. I solved it by restarting the wifi on my Raspberry Pi. 🤷

The fact that pip was raising a checksum error felt weird, and I wanted to understand why so I dig into the problem.

Vendored urllib3

It turns out that pip raising the wrong error is a known issue. The problem is that the vendored urllib3 version doesn’t check if the downloaded content length matches the one specified in the Content-Length header. So if a network issue causes the stream to end prematurely, it won’t raise an error, and pip will assume that the download completed successfully. The incompletely downloaded file will then fail the checksum test, so we see the checksum error as the result when this happens.

Why not ugrade urllib3?

Upgrading the bundled urllib3 would fix the issue. Version 2.0.0 of urllib3 checks the content length by default. Unfortunately, the 2.x branch of urllib3 requires OpenSSL 1.1.1+, which only became mandatory in Python 3.10 (PEP 644). pip has to support Python 3.9 until 2025 so the fix for this particular problem is blocked until then.

Restarting the download on errors?

While getting a better error message would be an improvement, the proper solution is to retry the download. There is already a pull request that adds this functionality, but it looks like the work on it stalled.

A solution before 2025?

If you are trying to download a package over a poor connection, you can manually download the wheel file with a tool that automatically restart the download on failues (wget or curl) and then install it with pip:

wget https://www.piwheels.org/simple/django/Django-5.1rc1-py3-none-any.whl
pip install Django-5.1rc1-py3-none-any.whl

Here is an example of me downloading the Django package with wget before I restarted the wifi. The download had to be retried three times!

Saving to: ‘Django-5.1rc1-py3-none-any.whl’

Django-5.1rc1-py3-none-any.whl         24%[=================>                                                        ]   1.94M  61.4KB/s    in 38s

2024-08-01 22:56:47 (52.9 KB/s) - Read error at byte 2031891/8201361 (Error decoding the received TLS packet.). Retrying.

--2024-08-01 22:56:48--  (try: 2)  https://www.piwheels.org/simple/django/Django-5.1rc1-py3-none-any.whl
Connecting to www.piwheels.org (www.piwheels.org)|46.235.225.189|:443... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 8201361 (7.8M), 6169470 (5.9M) remaining
Saving to: ‘Django-5.1rc1-py3-none-any.whl’

Django-5.1rc1-py3-none-any.whl         61%[++++++++++++++++++==========================>                             ]   4.78M  74.5KB/s    in 45s

2024-08-01 22:57:34 (64.1 KB/s) - Read error at byte 5007723/8201361 (Error decoding the received TLS packet.). Retrying.

--2024-08-01 22:57:36--  (try: 3)  https://www.piwheels.org/simple/django/Django-5.1rc1-py3-none-any.whl
Connecting to www.piwheels.org (www.piwheels.org)|46.235.225.189|:443... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 8201361 (7.8M), 3193638 (3.0M) remaining
Saving to: ‘Django-5.1rc1-py3-none-any.whl’

Django-5.1rc1-py3-none-any.whl         92%[+++++++++++++++++++++++++++++++++++++++++++++======================>      ]   7.22M  79.0KB/s    in 35s

2024-08-01 22:58:11 (72.3 KB/s) - Read error at byte 7567555/8201361 (Error decoding the received TLS packet.). Retrying.

--2024-08-01 22:58:14--  (try: 4)  https://www.piwheels.org/simple/django/Django-5.1rc1-py3-none-any.whl
Connecting to www.piwheels.org (www.piwheels.org)|46.235.225.189|:443... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 8201361 (7.8M), 633806 (619K) remaining
Saving to: ‘Django-5.1rc1-py3-none-any.whl’

Django-5.1rc1-py3-none-any.whl        100%[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=====>]   7.82M  35.9KB/s    in 13s

2024-08-01 22:58:27 (46.9 KB/s) - ‘Django-5.1rc1-py3-none-any.whl’ saved [8201361/8201361]

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

Anže's Blog

Vendored urllib3

Why not ugrade urllib3?

Restarting the download on errors?

A solution before 2025?