What This Error Means
You are using hash-checking mode (--require-hashes), but the downloaded file's hash doesn't match, or some requirements are missing hashes.
How to Fix It
If you intentionally changed versions, regenerate hashes for the new artifacts from a trusted source and update the requirements file.
Ensure every requirement installed under --require-hashes has at least one valid hash entry (pip requires hashes for all requirements in this mode).
Retry with --no-cache-dir to rule out corrupted cache artifacts.
If you're using an internal mirror, verify it serves the correct artifacts and isn't rewriting files.
Why It Happens
A package version was updated in the requirements file but its hashes were not updated.
The index/mirror served a different file than the one the hashes were generated against.
A cached download is corrupt or truncated (less common, but possible).
An attacker or misconfigured proxy/mirror altered the served artifact.
How to Verify
Re-run python -m pip install --require-hashes -r requirements.txt and confirm installs complete.
Verify the installed versions match what you pinned (python -m pip freeze).
Manual hash-checking triage
Identify which requirement line pip says has mismatched/missing hashes.
Check whether you changed a pinned version without updating its --hash= lines.
Confirm you're using the expected index/mirror (a different mirror can serve different files).
Examples
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes.
Hashes are required in --require-hashes mode (implicitly on when a hash is specified for any package). These requirements were missing hashes, leaving them open to tampering.How pip hash-checking works
In --require-hashes mode, pip verifies that every downloaded distribution matches an allowed hash from your requirements file.
If any package is missing a hash entry, pip refuses to install it (because it would be unverified).
If a downloaded artifact's hash differs, pip assumes tampering or a changed file and aborts.
Prevention Tips
Generate hashed requirements in a controlled environment and treat the file as an integrity lock.
Use a single trusted mirror for CI to reduce artifact variance.
Avoid manually editing hash lines, use tooling/workflows to regenerate them.
Where This Can Be Triggered
github.com/pypa/pip/blob/25.3/src/pip/_internal/exceptions.py (missing hashes)
When --require-hashes is enabled and a requirement is missing hashes, pip reports a HashMissing error with this header text. - GitHub
class HashMissing(HashError):
"""A hash was needed for a requirement but is absent."""
order = 2
head = (
"Hashes are required in --require-hashes mode, but they are "
"missing from some requirements. Here is a list of those "
"requirements along with the hashes their downloaded archives "
"actually had. Add lines like these to your requirements files to "
"prevent tampering. (If you did not enable --require-hashes "
"manually, note that it turns on automatically when any package "
"has a hash.)"
)
github.com/pypa/pip/blob/25.3/src/pip/_internal/exceptions.py (hash mismatch)
When the downloaded artifact hash doesn't match an allowed hash, pip reports a HashMismatch error with this header text. - GitHub
class HashMismatch(HashError):
"""
Distribution file hash values don't match.
:ivar package_name: The name of the package that triggered the hash
mismatch. Feel free to write to this after the exception is raise to
improve its error message.
"""
order = 4
head = (
"THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS "
"FILE. If you have updated the package versions, please update "
"the hashes. Otherwise, examine the package contents carefully; "
"someone may have tampered with them."
)