pip-hash

Generate hash for a package file

$ pip hash [path/to/package.whl]

$ pip hash [[-a|--algorithm]] [sha256|sha384|sha512|...] [path/to/package.whl]

$ pip hash [path/to/package1.whl path/to/package2.whl ...]

$ pip hash [path/to/package.tar.gz]

pip hash [options] FILE [FILE ...]

--help, -h
    Show help message and exit.

--algorithm , -a
    The hash algorithm to use, e.g., sha256, sha384, sha512. The default is sha256.

pip hash is a utility command provided by pip that generates hashes for local files, primarily intended for use with hash-checking mode in requirements.txt files. When you specify a package in requirements.txt with --hash (e.g., pkg==1.0 --hash=sha256:abc...), pip will verify that the downloaded package's hash matches the one provided. This significantly enhances supply chain security and ensures the integrity and immutability of your Python dependencies.

The command supports multiple hashing algorithms, including SHA256, SHA384, and SHA512. By generating these hashes for your local copies of distribution files (e.g., .whl or .tar.gz files), you can precisely control which versions and exact files of a dependency are installed, preventing accidental or malicious tampering. It's an essential tool for creating robust and secure build environments, particularly in regulated industries or for projects requiring high levels of security assurance.

pip hash only computes hashes for local files. It does not download packages or resolve dependencies. Its output is designed to be manually copied into a requirements.txt file. The primary goal is to provide a reproducible hash for a known artifact, not to automatically generate hashes for all dependencies in a project. Users must ensure the files being hashed are the exact ones they intend to pin.

The output of pip hash is intended to be appended to entries in a requirements.txt file. For example, after running pip hash my_package-1.0-py3-none-any.whl, you might get output like sha256:abcdef.... You would then add this to your requirements.txt: my_package==1.0 --hash=sha256:abcdef... This ensures that pip will only install a my_package that matches this exact hash.

Using pip hash for dependency pinning dramatically increases the security of your build process. It creates a cryptographic fingerprint of your dependencies, making it impossible for pip to install a different version or a tampered file, even if the package index (like PyPI) were compromised or a mirror served incorrect data. This is a critical practice for robust and secure Python development.

The pip hash command was introduced as part of pip's efforts to enhance security and reproducibility, particularly with the advent of hash-checking mode for requirements.txt files. This feature gained prominence around pip versions 8.0 and later, as the Python community recognized the need for stronger guarantees against tampering and supply chain attacks. Prior to this, users might have manually generated hashes using tools like sha256sum, but pip hash provides a streamlined and pip-native way to produce hashes in the format expected by pip install --require-hashes. Its development aligns with broader industry trends towards secure software supply chains.

pip(1), pip install(1), sha256sum(1)