Get Python Requirements Package Hashes
requirements.txt file is the equivalent to
requirements.txt file isn't as pretty as
package.json but it not only defines a version but goes a step further, providing a sha hash to compare against to ensure package integrity:
Flask==0.12.1 \ --hash=sha256:6c3130c8927109a08225993e4e503de4ac4f2678678ae211b33b519c622a7242 Jinja2==2.9.6 \ --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054 MarkupSafe==1.0 \ --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665 ....
package.json world, you only need to provide the package name and version. To get the hash of a python package, you can use
hashin. The first step is installing
pip install hashin
Once hashin is installed, you can get the package hash easily:
The code above adds the package name, version, and available hashes to your
requirements.txt file automatically. Unfortunately I'm not aware of a method for recursive
hashin checks, so if a package dependency doesn't use hashes, you'll need to run
hashin for each of those packages manually.