Lock file gets incorrect hashes when a custom index is specified

[pfmoore]

I am specifying a custom index in Pipfile to host a wheel for pycurl (which is also on PyPI, but does not have a wheel for my environment there). My index just hosts the wheel, with a SHA256 hash specified.

When I do pipenv install, I get an error saying that the hash is not found, and showing a list of expected hashes. I don't know where it got that list from, but it's not from my index... The install fails, and doesn't install pycurl.

Describe you environment

1. OS is Windows 10
2. Python version: $ python -V. Python 3.6.2
3. Pipenv version: $ pipenv --version. pipenv, version 8.2.7

Pipenv file:

[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"

[[source]]
url = "https://pfmoore.github.io/simple"
verify_ssl = true
name = "pycurl"

[packages]
pycurl = {version="*", index="pycurl"}

[dev-packages]

Expected result

I expected pipenv to download the wheel (which is valid for my environment, confirmed via pip install) and install it.

Actual result

Output from pipfile install --verbose:

Creating a virtualenv for this project…
Using real prefix 'C:\\Users\\Gustav\\AppData\\Local\\Programs\\Python\\Python36'
New python executable in C:\Users\Gustav\.virtualenvs\riot_data-g6PtQnzc\Scripts\python.exe
Installing setuptools, pip, wheel...done.

Virtualenv location: C:\Users\Gustav\.virtualenvs\riot_data-g6PtQnzc
Pipfile.lock not found, creating…
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (3d54a4)!
Installing dependencies from Pipfile.lock (3d54a4)…
Installing 'pycurl==7.43.0 --hash=sha256:de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed  --hash=sha256:d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef  --hash=sha256:1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116  --hash=sha256:f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697  --hash=sha256:b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4  --hash=sha256:9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b  --hash=sha256:26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8  --hash=sha256:413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8  --hash=sha256:89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e  --hash=sha256:991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4  --hash=sha256:39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f  --hash=sha256:9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59  --hash=sha256:aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c  --hash=sha256:7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b  --hash=sha256:074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9  --hash=sha256:d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc  --hash=sha256:61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137  --hash=sha256:1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d  --hash=sha256:30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea  --hash=sha256:9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7  --hash=sha256:36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f  --hash=sha256:024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de  --hash=sha256:826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b  --hash=sha256:59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6  --hash=sha256:614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac'
$ "C:\Users\Gustav\.virtualenvs\riot_data-g6PtQnzc\Scripts\pip.exe" install   --verbose --no-deps  -r C:\Users\Gustav\AppData\Local\Temp\pipenv-yulvrmgc-requirement.txt --require-hashes -i https://pfmoore.github.io/simple --exists-action w
Config variable 'Py_DEBUG' is unset, Python ABI tag may be incorrect
Config variable 'WITH_PYMALLOC' is unset, Python ABI tag may be incorrect
Collecting pycurl==7.43.0 (from -r C:\Users\Gustav\AppData\Local\Temp\pipenv-yulvrmgc-requirement.txt (line 1))
  1 location(s) to search for versions of pycurl:
  * https://pfmoore.github.io/simple/pycurl/
  Getting page https://pfmoore.github.io/simple/pycurl/
  Looking up "https://pfmoore.github.io/simple/pycurl/" in the cache
  Current age based on date: 94
  Freshness lifetime from max-age: 600
  Freshness lifetime from request max-age: 600
  The response is "fresh", returning cached response
  600 > 94
  Analyzing links from page https://pfmoore.github.io/simple/pycurl/
    Found link https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from https://pfmoore.github.io/simple/pycurl/), version: 7.43.0
  Using version 7.43.0 (newest of versions: 7.43.0)
  Looking up "https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl" in the cache
  Current age based on date: 92
  Freshness lifetime from max-age: 600
  The response is "fresh", returning cached response
  600 > 92
  Using cached https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl
  Downloading from URL https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from https://pfmoore.github.io/simple/pycurl/)
Cleaning up...
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pycurl==7.43.0 from https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from -r C:\Users\Gustav\AppData\Local\Temp\pipenv-yulvrmgc-requirement.txt (line 1)):
        Expected sha256 de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed
        Expected     or d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef
        Expected     or 1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116
        Expected     or f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697
        Expected     or b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4
        Expected     or 9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b
        Expected     or 26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8
        Expected     or 413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8
        Expected     or 89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e
        Expected     or 991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4
        Expected     or 39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f
        Expected     or 9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59
        Expected     or aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c
        Expected     or 7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b
        Expected     or 074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9
        Expected     or d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc
        Expected     or 61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137
        Expected     or 1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d
        Expected     or 30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea
        Expected     or 9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7
        Expected     or 36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f
        Expected     or 024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de
        Expected     or 826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b
        Expected     or 59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6
        Expected     or 614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac
             Got        7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6

Exception information:
Traceback (most recent call last):
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\basecommand.py", line 215, in main
    status = self.run(options, args)
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\commands\install.py", line 335, in run
    wb.build(autobuilding=True)
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\wheel.py", line 749, in build
    self.requirement_set.prepare_files(self.finder)
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\req\req_set.py", line 386, in prepare_files
    raise hash_errors
pip.exceptions.HashErrors: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pycurl==7.43.0 from https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from -r C:\Users\Gustav\AppData\Local\Temp\pipenv-yulvrmgc-requirement.txt (line 1)):
        Expected sha256 de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed
        Expected     or d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef
        Expected     or 1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116
        Expected     or f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697
        Expected     or b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4
        Expected     or 9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b
        Expected     or 26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8
        Expected     or 413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8
        Expected     or 89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e
        Expected     or 991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4
        Expected     or 39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f
        Expected     or 9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59
        Expected     or aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c
        Expected     or 7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b
        Expected     or 074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9
        Expected     or d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc
        Expected     or 61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137
        Expected     or 1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d
        Expected     or 30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea
        Expected     or 9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7
        Expected     or 36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f
        Expected     or 024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de
        Expected     or 826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b
        Expected     or 59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6
        Expected     or 614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac
             Got        7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6


An error occurred while installing pycurl==7.43.0! Will try again.
  ================================ 1/1 - 00:00:00
Installing initially–failed dependencies…
Installing 'pycurl==7.43.0 --hash=sha256:de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed  --hash=sha256:d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef  --hash=sha256:1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116  --hash=sha256:f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697  --hash=sha256:b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4  --hash=sha256:9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b  --hash=sha256:26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8  --hash=sha256:413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8  --hash=sha256:89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e  --hash=sha256:991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4  --hash=sha256:39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f  --hash=sha256:9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59  --hash=sha256:aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c  --hash=sha256:7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b  --hash=sha256:074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9  --hash=sha256:d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc  --hash=sha256:61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137  --hash=sha256:1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d  --hash=sha256:30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea  --hash=sha256:9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7  --hash=sha256:36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f  --hash=sha256:024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de  --hash=sha256:826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b  --hash=sha256:59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6  --hash=sha256:614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac'
$ "C:\Users\Gustav\.virtualenvs\riot_data-g6PtQnzc\Scripts\pip.exe" install   --verbose --no-deps  -r C:\Users\Gustav\AppData\Local\Temp\pipenv-lwi68f7a-requirement.txt --require-hashes -i https://pypi.python.org/simple --exists-action w
$ "C:\Users\Gustav\.virtualenvs\riot_data-g6PtQnzc\Scripts\pip.exe" install   --verbose --no-deps  -r C:\Users\Gustav\AppData\Local\Temp\pipenv-lwi68f7a-requirement.txt --require-hashes -i https://pfmoore.github.io/simple --exists-action w
Config variable 'Py_DEBUG' is unset, Python ABI tag may be incorrect
Config variable 'WITH_PYMALLOC' is unset, Python ABI tag may be incorrect
Collecting pycurl==7.43.0
  1 location(s) to search for versions of pycurl:
  * https://pfmoore.github.io/simple/pycurl/
  Getting page https://pfmoore.github.io/simple/pycurl/
  Looking up "https://pfmoore.github.io/simple/pycurl/" in the cache
  Current age based on date: 97
  Freshness lifetime from max-age: 600
  Freshness lifetime from request max-age: 600
  The response is "fresh", returning cached response
  600 > 97
  Analyzing links from page https://pfmoore.github.io/simple/pycurl/
    Found link https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from https://pfmoore.github.io/simple/pycurl/), version: 7.43.0
  Using version 7.43.0 (newest of versions: 7.43.0)
  Looking up "https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl" in the cache
  Current age based on date: 95
  Freshness lifetime from max-age: 600
  The response is "fresh", returning cached response
  600 > 95
  Using cached https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl
  Downloading from URL https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from https://pfmoore.github.io/simple/pycurl/)
Cleaning up...
Exception information:
Traceback (most recent call last):
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\basecommand.py", line 215, in main
    status = self.run(options, args)
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\commands\install.py", line 335, in run
    wb.build(autobuilding=True)
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\wheel.py", line 749, in build
    self.requirement_set.prepare_files(self.finder)
  File "c:\users\gustav\.virtualenvs\riot_data-g6ptqnzc\lib\site-packages\pip\req\req_set.py", line 386, in prepare_files
    raise hash_errors
pip.exceptions.HashErrors: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pycurl==7.43.0 from https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6
        Expected sha256 de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed
        Expected     or d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef
        Expected     or 1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116
        Expected     or f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697
        Expected     or b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4
        Expected     or 9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b
        Expected     or 26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8
        Expected     or 413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8
        Expected     or 89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e
        Expected     or 991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4
        Expected     or 39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f
        Expected     or 9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59
        Expected     or aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c
        Expected     or 7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b
        Expected     or 074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9
        Expected     or d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc
        Expected     or 61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137
        Expected     or 1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d
        Expected     or 30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea
        Expected     or 9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7
        Expected     or 36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f
        Expected     or 024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de
        Expected     or 826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b
        Expected     or 59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6
        Expected     or 614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac
             Got        7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6


THESE PACKAGES DO NOT MATCH THE HASHES FROM Pipfile.lock!. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pycurl==7.43.0 from https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from -r C:\Users\Gustav\AppData\Local\Temp\pipenv-lwi68f7a-requirement.txt (line 1)):
        Expected sha256 de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed
        Expected     or d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef
        Expected     or 1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116
        Expected     or f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697
        Expected     or b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4
        Expected     or 9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b
        Expected     or 26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8
        Expected     or 413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8
        Expected     or 89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e
        Expected     or 991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4
        Expected     or 39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f
        Expected     or 9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59
        Expected     or aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c
        Expected     or 7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b
        Expected     or 074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9
        Expected     or d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc
        Expected     or 61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137
        Expected     or 1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d
        Expected     or 30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea
        Expected     or 9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7
        Expected     or 36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f
        Expected     or 024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de
        Expected     or 826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b
        Expected     or 59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6
        Expected     or 614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac
             Got        7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6


     ================================ 0/1 - 00:00:02

Steps to replicate

1. Create a new, empty directory.
2. Add a Pipfile with the content as given above. The index https://pfmoore.github.io/simple is publicly available, so should work fine to reproduce the issue.
3. Run pipenv install.

[techalchemy]

@pfmoore Im just taking a random stab at this but you may need to rename the wheel to include version info in order for pip-tools to resolve it properly

[pfmoore]

@techalchemy the wheel name does include the version - pycurl-7.43.0-cp36-cp36m-win_amd64.whl.

If you meant the name in the Pipfile, then the whole point here is to get the latest version available from the source, so if I have to specify the version, that defeats the object, surely?

[techalchemy]

@pfmoore no sorry I was on mobile and didn't click all the way through, you covered exactly what I meant. I'll check, we use pip-tools to resolve the lockfile but I am not sure if we are passing the custom indexes to it. It's pulling hashes from pypi right? What happens if you run pipenv lock --clear?

[pfmoore]

I guess the hashes must come from PyPI, but I don't know how, as I can't find them anywhere on there (PyPI has md5 hashes but not sha256).

I tried pipenv lock --clear, although I'm not sure what I should expect. What I got is:

>pipenv lock --clear
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (3d54a4)!
>pipenv install
Installing dependencies from Pipfile.lock (3d54a4)…
An error occurred while installing pycurl==7.43.0! Will try again.
  ================================ 1/1 - 00:00:00
Installing initially–failed dependencies…
Collecting pycurl==7.43.0 ----------- 0/1 - 00:00:00
  Using cached https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl

THESE PACKAGES DO NOT MATCH THE HASHES FROM Pipfile.lock!. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pycurl==7.43.0 from https://pfmoore.github.io/simple/pycurl/pycurl-7.43.0-cp36-cp36m-win_amd64.whl#sha256=7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6 (from -r C:\Users\Gustav\AppData\Local\Temp\pipenv-_xdlfnxh-requirement.txt (line 1)):
        Expected sha256 de2980f2839029ffa2917fcc1eb84b2dc736f0a30a5413645e514a2b61df04ed
        Expected     or d6cb0917ce564c9edc377ae436bc0963ee72be8873c90bcce7470f1670c3baef
        Expected     or 1ba222eafcb740805d5c9fe778a47d2704bf764abe9a2546de90f159e4c3a116
        Expected     or f614c93422f31761764a002297b56a0c7f0aeaee7badb0fb43764bda13467697
        Expected     or b0af8badfda56b175e190cf0fb1a18d2bd600a677d3b5d9f7a579823eec74fa4
        Expected     or 9db493308f092b87d8113cea322886f07c2f1b64f9839dffd4a65c300f91244b
        Expected     or 26dcfb05ecbaa27ffaa71a4a3add217ec9e1cee2998b727e1b9e6eff7264d5f8
        Expected     or 413b82b25795dcd0656e2d254892a16f531d88eccabc3a97c9c9451781caf5e8
        Expected     or 89758f2375fe44b139fcc11e305a060c75a4a89178b5066a3894055fe069a80e
        Expected     or 991d221a59c5546370e618241ec05e7d85efd7c5126fb33387de0a12c2cfe8e4
        Expected     or 39a7399e7da031f4648bd6ea273b02c0cf203471b63fe3629d19ebfd13e5701f
        Expected     or 9997e9994860cc99f2622de4133e0dd1756797852645dc6942b58142014f2e59
        Expected     or aa975c19b79b6aa6c0518c0cc2ae33528900478f0b500531dbcdbf05beec584c
        Expected     or 7d1ffc138132a7dcb322d41b1f7d5ed7e2f9bb0dea3103ae5ca25fae2a1f689b
        Expected     or 074a565bc33cfc484fa87339136876f1d8176bd30bb214235e11382b363beef9
        Expected     or d6ac0f902cb82cab13bc9488fb5240cf86325bd24800dc5ab677f8044993f6fc
        Expected     or 61d4b1a2dc1ecdb3b6d4188d63ab884e8768cfc85f37f48c481935b784920137
        Expected     or 1339972f6faf9e7feb54e0d62b018dcea6c99fb5ca46fef4a8d20c2a810d1f2d
        Expected     or 30983ec2f88ee0d26d290f276563c26bc1d302f1f6fc447092368bce7a93f0ea
        Expected     or 9075d35c8bafb96a836a7558b37fe697ec04646f76239254b06e87eb360097c7
        Expected     or 36c3a2d6b4ca31f39ac84fe9b7616d338191f956710c7912c546ffef18600f2f
        Expected     or 024fba378134633694b7a64ec7cb8ef9a98e3ce6b5635247b51b7282b96f33de
        Expected     or 826866c43ef532b7633e24332b7f4bc6b309e72b33631c2b06258fdb284dd55b
        Expected     or 59f637ffe21a90b6155df34b9fdf3030b6453859110db8700bf17f569c6449d6
        Expected     or 614687bdc73246ce85f73b7199d533a222efdda954e84a6bd692fef25fa3b6ac
             Got        7b9443007238914a6cc7fb6c3442aa00f06868b141837097f249adf54add11b6


     ================================ 0/1 - 00:00:02

[techalchemy]

Oh pypi has sha256 hashes, you just have to request them specifically when you look. For instance, pycurl==7.4.3 has a bdist that is probably a match for your dependency specification despite it having python35 in its name, and the hash is the one starting with 9997:

See here for the json formatted version

[pfmoore]

Ah, I was looking at https://pypi.python.org/pypi/pycurl/json. My mistake.

Unfortunately, if the wheel says it's for Python 3.5 (which that one does) it's not installable on Python 3.6. That's why I need to get the wheel from a different index...

[nateprewitt]

Yeah, we rely on Warehouse rather than the legacy pypi server for hashes @pfmoore. I agree this should work for your use case though. A lot of the hash work that we'd previously done was ripped out and redone by Kenneth recently and I don't know if we have proper test coverage around cases like this.

We need to try to resolve the hash back to the third party instance, which we don't currently do. In the event it's not available though, we'll probably have to include no hashes. You'll need to use --ignore-hashes then which is turns off checking for all packages. Not ideal, but I don't know if we have a better option at this point.

[nateprewitt]

Well... we've removed --ignore-hashes despite still having all the code for it. We may not have a tractable solution currently. I'll start poking around at what we have for options.

[pfmoore]

@nateprewitt thanks for the explanation. Am I right that by including #sha= in the data in my webpage, I'm providing the needed hash for the file? It is sufficient to implement just a PEP 503 index, I don't need a JSON API as well? (I understand what you're saying, that you don't do that properly at the moment - I just want to confirm that you don't require anything beyond PEP 503 support).

There's no massive rush - I can work around this for now just by manually installing pycurl with pip. But I'll be happy to help test if you need me to.

[techalchemy]

@nateprewitt wait why did we remove --ignore-hashes? It seems like it is sufficiently different from --skip-lock

[nateprewitt]

@pfmoore, I'm still making sure I understand our new implementation. I would say yes, that's how I'd prefer it to work, but it seems we may have the json endpoint check hardcoded. I'm going to see how much work it is to get something more general.

@techalchemy, I don't know. It was sometime in the last month or two while I was away.

[techalchemy]

@nateprewitt @pfmoore seems like if pipenv isn't supplied any hashes when it installs, it will ignore hashes by default
76cee70
58aca73

[pfmoore]

@techalchemy So if I remove the hashes from my index it'll work? I don't think it did (I originally didn't have the hashes in the index IIRC).

[nateprewitt]

@techalchemy 😬 so that's the exact functionality we've (I've?) tried to avoid. We definitely shouldn't be installing packages without a check if the hash field is empty. Pipfile.lock files that are sufficiently complex aren't going to be visually read, and that means no one is going to know whether or not a package is actually being validated.

If we're going to implement a "security" feature and claim it does something, it MUST do that thing unambiguously. Silently ignoring missing hashes is not an acceptable default. That's why we eventually moved to an opt-in model rather than opt-out. At least until these most recent changes.

@pfmoore I've confirmed we do ignore empty hash lists on at least the main Warehouse instance (https://pypi.org). I haven't been able to set up a Windows environment to test your instance. Also in regards to the PEP503 compliance question earlier, the issue with that is we need ALL possible hashes for a given version when building the lockfile. Otherwise, we can't move the lockfile cross platform because we're going to get a different wheel on linux than windows.

[techalchemy]

@nateprewitt I tend to agree... but even if we could 'fail silently' I couldn't think of a reason why we would want to prevent users from explicitly ignoring them.

[nateprewitt]

@nateprewitt I tend to agree... but even if we could 'fail silently' I couldn't think of a reason why we would want to prevent users from explicitly ignoring them.

I'm not positive I know what you're referring to with 'fail silently'. If you're referring to silently ignoring hashes, it appears we do that now, and that's wrong imo. There are two acceptable models here from a security perspective.

1.) We provide an --ignore-hashes option like we did previously and refuse to install anything without a hash unless that flag is passed. This means we are possibly overzealous but by default ensure we do what we claim we do.

2.) We claim to provide a hashing opt-in and refuse to install anything (except maybe vcs/local dependencies) without a hash. This has the same strictness but requires the users to choose to use it.

Having a "We may check but also maybe we won't ¯_(ツ)_/¯" approach to a feature like this is irresponsible and means the implementation isn't useful. It's got to be all or nothing.

[techalchemy]

Yeah silently ignoring hashes, seems like failing to me if we are claiming to use hash verification by default. A hashing opt-in would be a breaking change for some people now I'm guessing, although if we find hashes in the Pipfile we could always do verification to support the current circumstances.

As far as hash verification for vcs or local dependencies, I didn't dig too far into it but I've been through a lot of the pip codebase and I'm not sure it would be that hard. @vphilippon might know more

[pfmoore]

@nateprewitt I'm not sure what you are implying by the comment that we can't move the lockfile cross platform. The problem here is that I cannot use PyPI, because there's no binary for my platform on PyPI, and building from source fails. Ideally, I'd tell Pipfile to use my custom index and PyPI, but I don't know how to do that so I've specified only my custom index, as that's the essential one.

So there's a number of separate issues here:

1. My local index won't work, because pipenv isn't picking up the hashes.
2. For some reason pipenv is picking up hashes from PyPI, even though I told it to use another index.
3. My Pipfile can't be used elsewhere because there's no way of using both my index and PyPI.

My problem is with (1) and to a lesser extent (2). By saying that it's difficult to solve those because it makes the lock file non-portable, you're tying them to (3). I've no objection to having a solution to (3), but it's not an immediate concern for me. So I'd rather it was handled separately.

With regard to PEP 503, that's the standardised definition of what "a package index" is. If pipenv needs extra (e.g. a JSON interface) then it needs to make that a lot clearer in the docs, as that presents a much higher barrier to entry for people who need something beyond what PyPI provides (for instance, I'm not sure if devpi provides a JSON API).

It sounds to me (and don't take this as criticism, it's not) that pipenv is focused very much on the "get everything from PyPI" use case, and hasn't fully considered the implications of handling private indexes. That's fine, and if that is the case ("we're still working out how private indexes fit into our design") then I'm OK with that, but it would be worth being a little clearer about that in the docs. But there's no doubt (for instance) that using a private index affects portability of the pipfile/pipfile.lock, as you can't use them if the index isn't available. (This is actually not that much different from local file links, which are also portable only to wherever the file is accessible - network shares make that potentially the whole organisation, but not public use).

Anyway, the design principles of pipenv are peripheral here, so I won't say any more on that matter (beyond pointing out that it would be useful to document them, to help people understand what types of project pipenv is applicable for).

[techalchemy]

@pfmoore I am not sure what is confusing so I will clarify a couple of points.

• Nobody is confused about what a package index is or what a PEP is
• We understand that you can’t use PyPI
• Your assumptions about what pipenv is focused on are wrong — the whole point of the discussion we are having is about the non-trivial implementation details for pulling hashes from custom indexes with the package resolver we use
• The former approach of ignoring hashes was changed in a way that doesn’t seem to make sense at a glance and we are discussing why that might be

So the reality is that actually we have considered private indexes quite a lot, and they are part of the design, obviously. However, this is an open source project and handling the various complexities around resolving dependencies using those private indexes is not as straightforward as you seem to suggest. Also, I do want to point out that if you want to criticize our support for PEP standards or common tools like devpi you should probably try them first. We support devpi.

So yeah, this particular case actually has nothing to do with any of these things. Pipenv supports using multiple indexes. It will always pick up all available hashes when it does hash comparisons, but currently it only picks up hashes from PyPI. This has nothing to do with where your package gets installed from. This only matters for hash comparisons when validating lockfiles. That’s what @nateprewitt and I have been talking about. I don’t know why this turned into a whole discussion about whether we intend to support PEP 503 and that we should tell people they can’t use private indexes and PyPI at the same time

How about instead we fix the behavior and allow people to use private indexes as before?

[pfmoore]

Hmm, looks like I did cause offence, which I didn't mean to - I apologise.

I've been struggling to understand how pipenv works with my use case, and I suspect I've been further confused by hitting bugs, assuming it was me doing something wrong, and then things getting out of hand as I kept trying to "explain". My apologies for that also.

I'll leave you guys to thrash out the implementation details. If there is anything you need clarification on in what I'm trying to do, then feel free to ask - I'll be happy to explain further. But I'll avoid doing so unprompted, as I'm doing a lousy job of helping when I do that :-(

I appreciate you spending time helping me with this, and it's definitely not my intent to criticise, or imply that you've done anything wrong.

[techalchemy]

@pfmoore no worries and sorry if I responded harshly, I answered before I had coffee this morning! Generally I'm on IRC as hawkerz in #pipenv on freenode if you want to have more in depth discussion but the tl;dr is that the things you want to do should work. Essentially, and sorry for not being clear about this also, your use case should and will be supported. As a workaround until we can resolve private index hashes, we built in functionality to allow users to skip hash checking.

That seems to be auto-toggled now and I'm not sure what we need to do to fix the short term problem, but the long term problem is to properly handle hashes. This hasn't been high on the priority list but may need to be moved up.

[pfmoore]

the things you want to do should work

Thanks for the clarification. My frustration was essentially because I really wasn't sure if that was the case. Having established that this is "just" a bug, and not me misunderstanding how I should be using the tool, I'm much less bothered - I appreciate that things take time in open source, and I trust you guys to prioritise the workload appropriately.

This hasn't been high on the priority list but may need to be moved up.

No need just for me (I have plenty of alternative workflows that I can use in the immediate term). But you may find more people hitting this if pipenv becomes the PyPA recommended tool. I've no feel for how likely that is, though (my experience of "people hitting weird corner cases" is almost certainly biased as a result of being a pip developer!).

[techalchemy]

@pfmoore We've encountered a bunch of people using devpi or private indexes but most of them haven't actually loaded SHA256 hashes so pipenv has automatically turned off hash comparisons. I will dig into this a bit if I can.

We do need to work on documentation, I think we are very behind on that

[techalchemy]

@nateprewitt @pfmoore @vphilippon i was looking at this a bit today and I remembered that pip also supports putting pip configuration files inside virtualenvs. Do any of you know whether the pip-tools resolver would resolve hashes on an index specified in a pip.conf or pip.ini? I haven’t had a chance to try this out, but if so we could manage some pip settings that way unless it will change in pip 10

[pfmoore]

There's no plans for pip 10 to change the way config settings work - it's all in the docs so it's fully supported and would require a deprecation period if we were to change it.

[erinxocon]

I think respecting a pip.conf in the root of the project directory should be supported in pipenv.

[nateprewitt]

I don't know if we should be forcing users to have to create one for every project. It's intended to typically be a global file that you edit in one place. I haven't dug into why we're discarding those settings in our copy of pip, but fixing that seems like the better approach to me.

[erinxocon]

Yeah you are correct. I suppose that would be more inline with how pip in a virutalenv works.

[techalchemy]

Technically we don't disregard the settings entirely, I'm pretty sure they should pass through...

[pfmoore]

My use case is per-project (I don't want the custom index in my global pip.ini) so while I agree that respecting the global settings should work, an optional local settings file should be processed as well. Pip does this automatically - I assume the issue here is that you might need to replicate pip's logic for pip-tools?

[techalchemy]

That’s the precise issue. It seems like the pip-tools hash resolver doesn’t rely on parsing URLs, and the only other way we acquire hashes is from the pypi JSON api directly. Pip-tools appears to have the capability to get a hash for a remote file if it needs to, for any PEP 503 index. But adding an index to extra-index-urls still didn’t result in resolved hashes. I’m not totally clear on this but it seemed like that should work.

In terms of respecting existing options, I’m not too sure. If we are tracking sources in the Pipfile we might want to drop those through as extra-index-urls and rather than requiring the user to create a local pip configuration we could do it for them. The only real question is which global setting, if any, should we keep? Or maybe we should only keep environment variable level setting...

[vphilippon]

@techalchemy Late reply on my part sorry, but: As far as I can tell, pip-tools should respect indexes defined in a pip.conf/pip.ini, pretty much in the same way pip does.
Although, I'm unsure about the way its used by pipenv, I would have to check that. Its all about the pip_options given to instantiate the PyPIRepository object.

[techalchemy]

@vphilippon I passed a custom index directly to the PyPIRepository and it didn't resolve any hashes at all -- I spent a good chunk of time on it and I couldn't make any substantial progress so I wasn't sure if there was some constraint I was missing

[kennethreitz]

hashes are only properly supported against pypi at this time

[pfmoore]

So if I am using a non-PyPI index, how do I suppress the hash mismatch error? Will --ignore-hashes be reinstated?