What This Error Means
You are using hash-checking mode (--require-hashes), but the downloaded file's hash doesn't match, or some requirements are missing hashes.
Read this as a precise clue about which part of the workflow broke first. Once you know the failing layer, the fix path gets much shorter.
Fix the integrity mismatch
If you intentionally changed versions, regenerate hashes for the new artifacts from a trusted source and update the requirements file.
Ensure every requirement installed under --require-hashes has at least one valid hash entry (pip requires hashes for all requirements in this mode).
Retry with --no-cache-dir to rule out corrupted cache artifacts.
If you're using an internal mirror, verify it serves the correct artifacts and isn't rewriting files.
Why It Happens
Usually this comes down to a package version was updated in the requirements file but its hashes were not updated, the index/mirror served a different file than the one the hashes were generated against, a cached download is corrupt or truncated (less common, but possible), or an attacker or misconfigured proxy/mirror altered the served artifact.
Verify the Fix
Re-run python -m pip install --require-hashes -r requirements.txt and confirm installs complete, and verify the installed versions match what you pinned (python -m pip freeze).
Manual hash-checking triage
Identify which requirement line pip says has mismatched/missing hashes.
Check whether you changed a pinned version without updating its --hash= lines.
Confirm you're using the expected index/mirror (a different mirror can serve different files).
Examples
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes.
Hashes are required in --require-hashes mode (implicitly on when a hash is specified for any package). These requirements were missing hashes, leaving them open to tampering.How pip hash-checking works
This is the part worth understanding if the quick fix did not hold. It explains what pip is trying to do at the moment the error appears.
In --require-hashes mode, pip verifies that every downloaded distribution matches an allowed hash from your requirements file.
If any package is missing a hash entry, pip refuses to install it (because it would be unverified). If a downloaded artifact's hash differs, pip assumes tampering or a changed file and aborts.
Prevent It From Coming Back
To prevent this, generate hashed requirements in a controlled environment and treat the file as an integrity lock, use a single trusted mirror for CI to reduce artifact variance, and avoid manually editing hash lines, use tooling/workflows to regenerate them.
Docs and source code
github.com/pypa/pip/blob/25.3/src/pip/_internal/exceptions.py (missing hashes)
When --require-hashes is enabled and a requirement is missing hashes, pip reports a HashMissing error with this header text. - GitHub
class HashMissing(HashError):
"""A hash was needed for a requirement but is absent."""
order = 2
head = (
"Hashes are required in --require-hashes mode, but they are "
"missing from some requirements. Here is a list of those "
"requirements along with the hashes their downloaded archives "
"actually had. Add lines like these to your requirements files to "
"prevent tampering. (If you did not enable --require-hashes "
"manually, note that it turns on automatically when any package "
"has a hash.)"
)
github.com/pypa/pip/blob/25.3/src/pip/_internal/exceptions.py (hash mismatch)
When the downloaded artifact hash doesn't match an allowed hash, pip reports a HashMismatch error with this header text. - GitHub
class HashMismatch(HashError):
"""
Distribution file hash values don't match.
:ivar package_name: The name of the package that triggered the hash
mismatch. Feel free to write to this after the exception is raise to
improve its error message.
"""
order = 4
head = (
"THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS "
"FILE. If you have updated the package versions, please update "
"the hashes. Otherwise, examine the package contents carefully; "
"someone may have tampered with them."
)