Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Get Python Requirements Package Hashes

By David Walsh on May 15, 2017

Python's (pip's) requirements.txt file is the equivalent to package.json in the JavaScript / Node.js world. This requirements.txt file isn't as pretty as package.json but it not only defines a version but goes a step further, providing a sha hash to compare against to ensure package integrity:

Flask==0.12.1 \
    --hash=sha256:6c3130c8927109a08225993e4e503de4ac4f2678678ae211b33b519c622a7242
Jinja2==2.9.6 \
    --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054
MarkupSafe==1.0 \
    --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665

....

Coming from the JavaScript / package.json world, you only need to provide the package name and version. To get the hash of a python package, you can use hashin. The first step is installing hashin:

pip install hashin

Once hashin is installed, you can get the package hash easily:

hashin Flask==0.12.1

The code above adds the package name, version, and available hashes to your requirements.txt file automatically. Unfortunately I'm not aware of a method for recursive hashin checks, so if a package dependency doesn't use hashes, you'll need to run hashin for each of those packages manually.

Recent Features

By Landon SchroppApril 14, 2014
Write Better JavaScript with Promises
You've probably heard the talk around the water cooler about how promises are the future. All of the cool kids are using them, but you don't see what makes them so special. Can't you just use a callback? What's the big deal? In this article, we'll...
By David WalshNovember 7, 2011
Create Spinning Rays with CSS3: Revisited
Last December I wrote a blog post titled Create Spinning Rays with CSS3 Animations & JavaScript where I explained how easy it was to create a spinning rays animation with a bit of CSS and JavaScript. The post became quite popular so I...

Incredible Demos

By David WalshDecember 5, 2012
Disable Autocomplete, Autocapitalize, and Autocorrect
Mobile and desktop browser vendors do their best to help us not look like idiots by providing us autocomplete, autocorrect, and autocapitalize features. Unfortunately these features can sometimes get in the way; we don't always want or need the help they provide. Luckily most browsers allow...
By David WalshJune 15, 2010
TextboxList for MooTools and jQuery by Guillermo Rauch
I'll be honest with you: I still haven't figured out if I like my MooTools teammate Guillermo Rauch. He's got a lot stacked up against him. He's from Argentina so I get IM'ed about 10 times a day about how great Lionel...

Discussion

Peter Bengtsson
I think in your second snippet you mean hashin Flask==0.12.1.

Also, hashin works by just specifying the package name. It’ll then install the latest version. E.g. hashin Flask.

David Walsh
Yep, my bad! Updated!

Francis O'Donovan
Check out for getting both recursive checks and hashes.
F Fouvry
pip-compile (from pip-tools) can generate hashes in a requirements file, using the option --generate-hashes.

Get Python Requirements Package Hashes

Recent Features

Write Better JavaScript with Promises

Create Spinning Rays with CSS3: Revisited

Incredible Demos

Disable Autocomplete, Autocapitalize, and Autocorrect

TextboxList for MooTools and jQuery by Guillermo Rauch

Discussion