Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Get Python Requirements Package Hashes

By David Walsh on May 15, 2017

Python's (pip's) requirements.txt file is the equivalent to package.json in the JavaScript / Node.js world. This requirements.txt file isn't as pretty as package.json but it not only defines a version but goes a step further, providing a sha hash to compare against to ensure package integrity:

Flask==0.12.1 \
    --hash=sha256:6c3130c8927109a08225993e4e503de4ac4f2678678ae211b33b519c622a7242
Jinja2==2.9.6 \
    --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054
MarkupSafe==1.0 \
    --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665

....

Coming from the JavaScript / package.json world, you only need to provide the package name and version. To get the hash of a python package, you can use hashin. The first step is installing hashin:

pip install hashin

Once hashin is installed, you can get the package hash easily:

hashin Flask==0.12.1

The code above adds the package name, version, and available hashes to your requirements.txt file automatically. Unfortunately I'm not aware of a method for recursive hashin checks, so if a package dependency doesn't use hashes, you'll need to run hashin for each of those packages manually.

Recent Features

By David WalshJuly 15, 2013
9 Mind-Blowing WebGL Demos
As much as developers now loathe Flash, we're still playing a bit of catch up to natively duplicate the animation capabilities that Adobe's old technology provided us. Of course we have canvas, an awesome technology, one which I highlighted 9 mind-blowing demos. Another technology available...
By Soledad PenadésJuly 22, 2014
From Webcam to Animated GIF: the Secret Behind chat.meatspac.es!
My team mate Edna Piranha is not only an awesome hacker; she's also a fantastic philosopher! Communication and online interactions is a subject that has kept her mind busy for a long time, and it has also resulted in a bunch of interesting experimental projects...

Incredible Demos

By David WalshAugust 23, 2015
Simple Image Lazy Load and Fade
One of the quickest and easiest website performance optimizations is decreasing image loading. That means a variety of things, including minifying images with tools like ImageOptim and TinyPNG, using data URIs and sprites, and lazy loading images. It's a bit jarring when you're lazy loading images and they just...
By David WalshJuly 19, 2011
Create a Photo Stack Effect with Pure CSS Animations or MooTools
My favorite technological piece of Google Plus is its image upload and display handling. You can drag the images from your OS right into a browser's DIV element, the images upload right before your eyes, and the albums page displays a sexy photo deck animation...

Discussion

Peter Bengtsson
I think in your second snippet you mean hashin Flask==0.12.1.

Also, hashin works by just specifying the package name. It’ll then install the latest version. E.g. hashin Flask.

David Walsh
Yep, my bad! Updated!

Francis O'Donovan
Check out for getting both recursive checks and hashes.
F Fouvry
pip-compile (from pip-tools) can generate hashes in a requirements file, using the option --generate-hashes.

Get Python Requirements Package Hashes

Recent Features

9 Mind-Blowing WebGL Demos

From Webcam to Animated GIF: the Secret Behind chat.meatspac.es!

Incredible Demos

Simple Image Lazy Load and Fade

Create a Photo Stack Effect with Pure CSS Animations or MooTools

Discussion