“包裹不匹配"点错误 [英] "PACKAGES DO NOT MATCH THE HASHES" error with pip
问题描述
我正在尝试使用pip安装软件包.在这种情况下,使用的是OpenCV.但是,我无法安装任何东西.我正在使用python 3.5.3 zh pip 18.0(使用get-pip.py安装).
I'm trying to install packages using pip. In this case for OpenCV. However, I'm unable to install anything. I'm using python 3.5.3 en pip 18.0 (installed using get-pip.py).
无论我如何尝试,命令"pip install package-name"都会产生以下错误:
Whatever I try, the command 'pip install package-name' generates the following error:
这些软件包不匹配需求文件中的哈希.如果您更新了软件包版本,请更新哈希值.否则,请仔细检查包装内的物品;可能有人篡改了他们. 来自 https://www.piwheels.org/simple/opencv-contrib-python-headless/opencv_contrib_python_headless-3.4.3.18-cp35-cp35m-linux_armv6l.whl#sha256=ff894c0cc7c98b05b7b260a1dc42e7a0420923042 预期的sha256 ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5 得到了4119d8c56d19ef044c1faca317dd10f2bb3b50cbee77426a22feca9b641c5637
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them. opencv-contrib-python-headless from https://www.piwheels.org/simple/opencv-contrib-python-headless/opencv_contrib_python_headless-3.4.3.18-cp35-cp35m-linux_armv6l.whl#sha256=ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5: Expected sha256 ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5 Got 4119d8c56d19ef044c1faca317dd10f2bb3b50cbee77426a22feca9b641c5637
我尝试过的事情:
- 使用"--no-cache-dir",这是另一个使用相同问题的建议.
- 重新安装python/pip或尝试其他版本的python.
推荐答案
这是 https://pywheels的问题. org/维护人员需要修复.
This is a problem that the https://pywheels.org/ maintainers need to fix.
https://www.piwheels.org/simple/opencv- contrib-python-headless/ 包含一个链接到
https://www.piwheels.org/simple/opencv-contrib-python-headless/
contains a link to opencv_contrib_python_headless-3.4.3.18-cp35-cp35m-linux_armv6l.whl with a SHA256 of ff894c0cc7c98b05b7b260a1dc462e7ad0a4220b042072fc0134a2b7a92bc4a5 embedded in the URL.
但是,下载文件时,其 actual SHA256是4119d8c56d19ef044c1faca317dd10f2bb3b50cbee77426a22feca9b641c5637(我自己得到的,因此它不是攻击者在您的网络连接中胡闹,只能替代恶意软件包).
However, downloading the file, its actual SHA256 is 4119d8c56d19ef044c1faca317dd10f2bb3b50cbee77426a22feca9b641c5637 (I get this myself, so it's not an attacker monkeying-in-the-middle with your network connection only to substitute malicious packages).
这可能意味着,如果攻击者向软件包中注入了恶意软件但未更新校验和,那么恶意篡改仍会继续(可能是直接破坏了PyWheels基础设施的人).安全的做法是与网站所有者联系,并要求他们调查此问题.
This could mean that malicious tampering has gone on (presumably by someone who's directly compromised PyWheels infrastructure), if an attacker has injected malware into the packages but not updated the checksums. The safe thing to do is to contact the site owners and ask that they investigate the issue.
这篇关于“包裹不匹配"点错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
