Clean Docker pip install results in ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE

Question

My Dockerfile looks like

FROM python:3.7-slim

# System setup
ENV USER app
ENV APP_DIR /home/app

RUN useradd -ms /bin/bash ${USER}

# System dependencies
RUN apt-get -y update
RUN apt-get install -y --no-install-recommends \
  build-essential \
  libffi-dev \
  libpq-dev

# Update pip
RUN pip3 install --upgrade pip setuptools --user --no-cache-dir
RUN pip3 install wheel --user --no-cache-dir

WORKDIR ${APP_DIR}

# App dependencies
COPY setup.py ${APP_DIR}/
RUN pip3 install --extra-index-url {url} -e ${APP_DIR}/.[test] --user

with the following docker-compose:

version: '3'
services:
  application-api:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "8000:8000"
    volumes:
      - ~/.config/appsecrets/secrets.yaml:/var/lib/appsecrets/app.yaml:ro
    environment:
      APP_LOG_LEVEL: INFO

and with the following setup.py

from setuptools import setup

setup(
    name="context_manager",
    install_requires=[
        "gunicorn[gevent]==20.0.4",
        "nltk==3.4.5",
        "psycopg2==2.7.3.2",
        "pyyaml==5.1.2",
        "pyparsing==2.4.6",
        "sentry-sdk==0.14.0",
        "tldextract==2.2.2",
    ],
    extras_require={"test": ["pytest", "pytest-cov", "mock"]},
)

This results in the following error

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.

    nltk==3.4.5 from https://files.pythonhosted.org/packages/f6/1d/d925cfb4f324ede997f6d47bea4d9babba51b49e87a767c170b77005889d/nltk-3.4.5.zip#sha256=bed45551259aa2101381bbdd5df37d44ca2669c5c3dad72439fa459b29137d94 (from context-manager==0.0.0):
        Expected sha256 bed45551259aa2101381bbdd5df37d44ca2669c5c3dad72439fa459b29137d94
             Got        ce4ae7079a05635aa5a2e7f464593524d4b047982c06c012c53d1658175043b6

    gevent>=0.13; extra == "gevent" from https://files.pythonhosted.org/packages/0b/55/85c758c389a3c84f999b445e423b6b148227f03104fa7957e84179d9a97b/gevent-20.5.0-cp37-cp37m-manylinux2010_x86_64.whl#sha256=31dc5d4ab8172cc00c4ff17cb18edee633babd961f64bf54214244d769bc3a74 (from gunicorn[gevent]==20.0.4->context-manager==0.0.0):
        Expected sha256 31dc5d4ab8172cc00c4ff17cb18edee633babd961f64bf54214244d769bc3a74
             Got        02444a3dbde12419a14ad40ac2dff92466f5fbfb1c566c94b44ce01497bdbdb2

    urllib3>=1.10.0 from https://files.pythonhosted.org/packages/e1/e5/df302e8017440f111c11cc41a6b432838672f5a70aa29227bf58149dc72f/urllib3-1.25.9-py2.py3-none-any.whl#sha256=88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115 (from sentry-sdk==0.14.0->context-manager==0.0.0):
        Expected sha256 88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115
             Got        d00015c954667a679b32f8d1892cd6264f725e44df87e1ca775678c409f1faef

This has just recently started, and is not affecting anyone else trying to build the same image.

I have tried with and without --user and --no-cache-dir on all the pip3 install commands with no luck. The docker container is running without any cached steps. I am using Docker version 19.03.1 on Windows (Home).

Any ideas on what could be the cause of this?

Answer 1

This is very likely to be an issue with pip 20.1.0 which is released recently and made it into the python:3.7-slim images: https://github.com/docker-library/python/commit/b818e9441c088295165edf79a791503f1fe7f6f7

If you replace your # Update pip section with pip install pip==20.0.2 these should go away.

Regarding why, I think this change might be responsible: https://github.com/pypa/pip/issues/609