pip is failing to verify the hashes of `pip` package itself.

[kushaldas]

Environment

• pip version: 20.0.2
• Python version: 3.7 and 3.5
• OS: Debian Buster and Ubuntu 16.04

Description

I was trying pin the versions of pip and setuptools and wheel for a virtualenv (for package building).

The update_virtualenv.txt file

#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --allow-unsafe --generate-hashes --output-file=update_virtualenv.txt update_virtualenv.in
#
wheel==0.34.2 \
    --hash=sha256:8788e9155fe14f54164c1b9eb0a319d98ef02c160725587ad60f14ddc57b6f96 \
    --hash=sha256:df277cb51e61359aba502208d680f90c0493adec6f0e848af94948778aed386e

# The following packages are considered to be unsafe in a requirements file:
pip==20.0.2 \
    --hash=sha256:4ae14a42d8adba3205ebeb38aa68cfc0b6c346e1ae2e699a0b3bad4da19cef5c \
    --hash=sha256:7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f
setuptools==45.2.0 \
    --hash=sha256:316484eebff54cc18f322dea09ed031b7e3eb00811b19dcedb09bc09bba7d93d \
    --hash=sha256:89c6e6011ec2f6d57d43a3f9296c4ef022c2cbf49bab26b407fe67992ae3397f

Then the commands given as:

$ virtualenv --setuptools --no-site-packages --python=python3 /tmp/woo
$ /tmp/woo/bin/python3 -m pip install --verbose --ignore-installed --no-deps --no-cache-dir --require-hashes --no-compile -r ./update_virtualenv.txt

Expected behavior

I expect pip to install the packages mentioned in the file.

How to Reproduce

Steps are given above.

Output

# /tmp/work8/bin/python3 -m pip install --verbose --ignore-installed --no-deps --no-cache-dir --require-hashes --no-compile -r update_virtualenv.txt   
Non-user install because user site-packages disabled

output snipped as too long

  Found link https://files.pythonhosted.org/packages/54/0c/d01aa759fdc501a58f431eb594a17495f15b88da142ce14b5845662c13f3/pip-20.0.2-py2.py3-none-any.whl#sha256=4ae14a42d8adba3205ebeb38aa68cfc0b6c346e1ae2e699a0b3bad4da19cef5c (from https://pypi.org/simple/pip/) (requires-python:>=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*), version: 20.0.2
  Found link https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz#sha256=7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f (from https://pypi.org/simple/pip/) (requires-python:>=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*), version: 20.0.2
Given no hashes to check 137 links for project 'pip': discarding no candidates

[pradyunsg]

Hmm... I think everything is working correctly. It's just that our verbose output isn't great. :)

If you look at line 1295 in the logs.txt attached below (generated by adding --logs logs.txt to the original description's command), you can see that pip did in-fact successfully install the mentioned versions. The "no matches" at the end, is the result of pip's "version check" logic being triggered after the output of "Successfully installed pip-20.0.2 setuptools-45.2.0 wheel-0.34.2".

logs.txt

---

@ei8fdb Flagging this for you -- this is related to "better pip output" circa #4649.