Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Get Python Requirements Package Hashes

By David Walsh on May 15, 2017

Python's (pip's) requirements.txt file is the equivalent to package.json in the JavaScript / Node.js world. This requirements.txt file isn't as pretty as package.json but it not only defines a version but goes a step further, providing a sha hash to compare against to ensure package integrity:

Flask==0.12.1 \
    --hash=sha256:6c3130c8927109a08225993e4e503de4ac4f2678678ae211b33b519c622a7242
Jinja2==2.9.6 \
    --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054
MarkupSafe==1.0 \
    --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665

....

Coming from the JavaScript / package.json world, you only need to provide the package name and version. To get the hash of a python package, you can use hashin. The first step is installing hashin:

pip install hashin

Once hashin is installed, you can get the package hash easily:

hashin Flask==0.12.1

The code above adds the package name, version, and available hashes to your requirements.txt file automatically. Unfortunately I'm not aware of a method for recursive hashin checks, so if a package dependency doesn't use hashes, you'll need to run hashin for each of those packages manually.

Recent Features

By David WalshJune 11, 2013
Serving Fonts from CDN
For maximum performance, we all know we must put our assets on CDN (another domain). Along with those assets are custom web fonts. Unfortunately custom web fonts via CDN (or any cross-domain font request) don't work in Firefox or Internet Explorer (correctly so, by spec) though...
By David WalshApril 3, 2013
CSS @supports
Feature detection via JavaScript is a client side best practice and for all the right reasons, but unfortunately that same functionality hasn't been available within CSS. What we end up doing is repeating the same properties multiple times with each browser prefix. Yuck. Another thing we...

Incredible Demos

By David WalshJuly 14, 2008
Build a Toggling Announcement Slider Using MooTools 1.2
A few of my customer have asked for me to create a subtle but dynamic (...I know...) way for them to advertise different specials on their website. Not something that would display on every page, but periodically or only the homepage. Using a trick...
By David WalshAugust 14, 2007
Advanced CSS Tables II – Using Mootools JavaScript For Alternate Row Colors
As I discussed in Advanced CSS Tables - Using CSS3 For Alternate Row Colors, we will eventually be able to use the ":nth-child(argument)" pseudo-class in CSS3 to provide alternate row background colors. What do we use in the mean time? You can explicitly...

Discussion

Peter Bengtsson
I think in your second snippet you mean hashin Flask==0.12.1.

Also, hashin works by just specifying the package name. It’ll then install the latest version. E.g. hashin Flask.

David Walsh
Yep, my bad! Updated!

Francis O'Donovan
Check out for getting both recursive checks and hashes.
F Fouvry
pip-compile (from pip-tools) can generate hashes in a requirements file, using the option --generate-hashes.

Get Python Requirements Package Hashes

Recent Features

Serving Fonts from CDN

CSS @supports

Incredible Demos

Build a Toggling Announcement Slider Using MooTools 1.2

Advanced CSS Tables II – Using Mootools JavaScript For Alternate Row Colors

Discussion