Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Get Python Requirements Package Hashes

By David Walsh on May 15, 2017

Python's (pip's) requirements.txt file is the equivalent to package.json in the JavaScript / Node.js world. This requirements.txt file isn't as pretty as package.json but it not only defines a version but goes a step further, providing a sha hash to compare against to ensure package integrity:

Flask==0.12.1 \
    --hash=sha256:6c3130c8927109a08225993e4e503de4ac4f2678678ae211b33b519c622a7242
Jinja2==2.9.6 \
    --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054
MarkupSafe==1.0 \
    --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665

....

Coming from the JavaScript / package.json world, you only need to provide the package name and version. To get the hash of a python package, you can use hashin. The first step is installing hashin:

pip install hashin

Once hashin is installed, you can get the package hash easily:

hashin Flask==0.12.1

The code above adds the package name, version, and available hashes to your requirements.txt file automatically. Unfortunately I'm not aware of a method for recursive hashin checks, so if a package dependency doesn't use hashes, you'll need to run hashin for each of those packages manually.

Recent Features

By David WalshDecember 6, 2012
Vibration API
Many of the new APIs provided to us by browser vendors are more targeted toward the mobile user than the desktop user. One of those simple APIs the Vibration API. The Vibration API allows developers to direct the device, using JavaScript, to vibrate in...
By David WalshDecember 23, 2011
CSS Filters
CSS filter support recently landed within WebKit nightlies. CSS filters provide a method for modifying the rendering of a basic DOM element, image, or video. CSS filters allow for blurring, warping, and modifying the color intensity of elements. Let's have...

Incredible Demos

By David WalshJanuary 6, 2011
Create Spinning, Fading Icons with CSS3 and MooTools
A goal of my latest blog redesign was to practice what I preached a bit more; add a bit more subtle flair. One of the ways I accomplished that was by using CSS3 animations to change the display of my profile icons (RSS, GitHub, etc.) I...
By David WalshDecember 11, 2008
jQuery Countdown Plugin
You've probably been to sites like RapidShare and MegaUpload that allow you to download files but make you wait a specified number of seconds before giving you the download link. I've created a similar script but my script allows you to animate the CSS font-size...

Discussion

Peter Bengtsson
I think in your second snippet you mean hashin Flask==0.12.1.

Also, hashin works by just specifying the package name. It’ll then install the latest version. E.g. hashin Flask.

David Walsh
Yep, my bad! Updated!

Francis O'Donovan
Check out for getting both recursive checks and hashes.
F Fouvry
pip-compile (from pip-tools) can generate hashes in a requirements file, using the option --generate-hashes.

Get Python Requirements Package Hashes

Recent Features

Vibration API

CSS Filters

Incredible Demos

Create Spinning, Fading Icons with CSS3 and MooTools

jQuery Countdown Plugin

Discussion