Can't verify hashes for these requirements because we don't have a way to hash version control repositories

Question

I have the following requirements file:

...
sqlalchemy==1.2.3 --hash=sha256:9e9ec143e2e246f385cfb2de8daa89d2fa466279addcb7be9e102988fdf33d24
werkzeug==0.14.1 --hash=sha256:d5da73735293558eb1651ee2fddc4d0dedcfa06538b8813a2e20011583c9e49b  
git+ssh://gitlab.domain.com/private_pkg.git#egg=private_pkg

Installing the project from shell works perfect:

pip install git+ssh://gitlab.domain.com/private_pkg.git#egg=private_pkg

but trying to install it from the requirements file raises this error:

Can't verify hashes for these requirements because we don't have a way to hash version control repositories:
    private_pkg from git+ssh://gitlab.domain.com/private_pkg.git#egg=private_pkg (from -r requirements/prod.lock (line 30))

NB: the hashes in the requirement files a generated from pipenv lock -r

Answer 1

The --hash option in pip is all-or-nothing. You either specify none, or need to specify all of them. Packages not hosted on PyPI cannot have a hash, however, which causes the failure. Installing your project with any package with the --hash option set, and you’d see what the problem is.

Newer versions of Pipenv removed hashes from exported requirements.txt altogether to avoid the problem.