Check hash of the package during pip install

Is there a way to force pip check if md5 hash of a package matches the one from my requirements file?

So I could have a requirements.txt file like:

drf-compound-fields==0.2.0 md5=999168ac0303c4ea781da9cf47f841c1

Then if a hash is given for a package, pip would verify that hash of *.tar.gz (or whatever format is there) file matches it. If not -- it would refuse to install it.

Otherwise someone could break a developer's system and upload a malicious package version to PyPI.

Solution

The peep package adds a hash to your requirement. So if you can check them after installing them the first time, then the hash will take care of checking that the package you expected to download is what pip (peep) is "really" downloading.

Your requirements.txt file will end up looking something like:

# sha256: L9XU_-gfdi3So-WEctaQoNu6N2Z3ZQYAOu4-16qor-8
drf-compound-fields==0.2.0

For more details: https://pypi.python.org/pypi/peep

Unexpected list append
Force matrix_world to be recalculated in Blender
SQLAlchemy and empty columns
ValueError: time data '24:00' does not match format '%H:%M'
Convert RDD of LabeledPoint to DataFrame toDF() Error
How to cancel trigonometric expressions in SymPy
Get view used in Django tests
Precompiled sasl python 3.9+ package for windows
Regex: Substitute pattern in string multiple times without leftovers
How to render raw html in the PyHTML library
Why does my implementation of trilateration give wrong results?
Django admin: how to sort by one of the custom list_display fields that has no database field
TypeError: not all arguments converted during string formatting - psycopg2
Is there a Python equivalent of the C# null-coalescing operator?
Kraken API - Account balances request returning Invalid Nonce
configparser without whitespace surrounding operator
Pytorch tensor to numpy array
Django: How to get a person whose birthday is today from a database?
Performance impact of inheriting from many classes
How can I do a line break (line continuation) in Python (split up a long line of source code)?
Using pydantic to change int to string
Breaking long method chains into multiple lines in Python
What do ** (double star/asterisk) and * (star/asterisk) mean in a function call?
How to install Pygame on Python 3.4?
Rotating values in a list [Python]
Launch default image viewer from pygtk program
what's the inverse of the quantile function on a pandas Series?
How can I install packages using pip according to the requirements.txt file from a local directory?
Python generate all n-permutations of n lists
FastAPI error when handling file together with form-data defined in a Pydantic model