python - "PACKAGES DO NOT MATCH THE HASHES" error with pip

Question

I'm trying to install packages using pip. In this case for OpenCV. However, I'm unable to install anything. I'm using python 3.5.3 en pip 18.0 (installed using get-pip.py).

Whatever I try, the command 'pip install package-name' generates the following error:

THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them. opencv-contrib-python-headless from https://www.piwheels.org/simple/opencv-contrib-python-headless/opencv_contrib_python_headless-3.4.3.18-cp35-cp35m-linux_armv6l.whl#sha256=ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5: Expected sha256 ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5 Got 4119d8c56d19ef044c1faca317dd10f2bb3b50cbee77426a22feca9b641c5637

Things I've tried:

• using '--no-cache-dir' as suggested by another using having the same question.
• reinstalling python/pip or trying other versions of python.

Answer 1

This is a problem that the https://pywheels.org/ maintainers need to fix.

https://www.piwheels.org/simple/opencv-contrib-python-headless/ contains a link to opencv_contrib_python_headless-3.4.3.18-cp35-cp35m-linux_armv6l.whl with a SHA256 of ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5 embedded in the URL.

However, downloading the file, its actual SHA256 is 4119d8c56d19ef044c1faca317dd10f2bb3b50cbee77426a22feca9b641c5637 (I get this myself, so it's not an attacker monkeying-in-the-middle with your network connection only to substitute malicious packages).

This could mean that malicious tampering has gone on (presumably by someone who's directly compromised PyWheels infrastructure), if an attacker has injected malware into the packages but not updated the checksums. The safe thing to do is to contact the site owners and ask that they investigate the issue.