Locked info for local wheel should contain hash of the wheel file itself #2394
Closed
Description
From #2390. Take googleappenginepipeline for example, here’s the lock file
{
"_meta": {
"hash": {
"sha256": "6929c0ba32c595c656469787bbbe9ae6f7f840b5bc03b9e97dd518c3468f3672"
},
"pipfile-spec": 6,
"requires": {
"python_version": "2.7"
},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"googleappenginecloudstorageclient": {
"hashes": [
"sha256:b00ad9e7ca5a5524f07b6099b4c1e920cca9badc8e0d57cb6c1e2fb976356c95"
],
"version": "==1.9.22.1"
},
"googleappenginepipeline": {
"hashes": [
"sha256:cef7f04172870db661c8ae26fc1417b1bb30bdcd0019b1cdd15c5c4cd3c0ae1c"
],
"path": "./GoogleAppEnginePipeline-1.9.22.1-py2-none-any.whl",
"version": "==1.9.22.1"
}
},
"develop": {}
}The hash cef7f04172870db661c8ae26fc1417b1bb30bdcd0019b1cdd15c5c4cd3c0ae1c is the source archive’s hash from PyPI, but that does not match the wheel’s, and causes an failure when you run pipenv sync:
THESE PACKAGES DO NOT MATCH THE HASHES FROM Pipfile.lock!. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
GoogleAppEnginePipeline==1.9.22.1 from file:///.../GoogleAppEnginePipeline-1.9.22.1-py2-none-any.whl (from -r ... (line 1)):
Expected sha256 cef7f04172870db661c8ae26fc1417b1bb30bdcd0019b1cdd15c5c4cd3c0ae1c
Got 13210232486bf683d928aae1a2d9d97edada6d2d83063dc23b71fb6bbcee9874
The solution to this, I think, is to include the wheel file’s hash with those from PyPI. The user should be responsible for providing a legit wheel file during locking, and if (s)he does, this hash can be used to ensure the wheel file used during sync is also legit.