Search code examples
pipenv

Why doesn't pipenv complain when I change a hash?

What are the hashes in Pipfile.lock used for?

What I do

  1. I create a Pipfile + Pipfile.lock with pipenv
  2. I copy them to a new location
  3. I change the hashes (e.g. replacing the first character with "a")
  4. I execute pipenv sync

Now I expected pipenv to tell me that it cannot install the dependencies specified in Pipfile.lock. That the hashes do not match. But it finishes as if everything was fine.

I use pipenv, version 2018.11.26

Pipfile

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]
click = "*"

[requires]
python_version = "3.8"

Pipfile.lock

{
    "_meta": {
        "hash": {
            "sha256": "4a7fd38a2059440221d12f94b1f164253e097393bdaa26ee99895d043625bcb8"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.8"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "click": {
            "hashes": [
                "sha256:2335065e6395b9e67ca716de5f7526736bfa6ceead690adf616d925bdc622b13",
                "sha256:5b94b49521f6456670fdb30cd82a4eca9412788a93fa6dd6df72c94d5a8ff2d7"
            ],
            "index": "pypi",
            "version": "==7.0"
        }
    },
    "develop": {}
}
Solution

  • I was able to recreate this behavior as well, so I did some digging with the pipenv sync -v command for some verbosity and found this: 

    Since it is already installed, we are trusting this package without checking its hash. 
To ensure a completely repeatable environment, install into an empty virtualenv.

    It appears the hashes are not checked if the package is already installed.