Private repository dependency isn't exported with sha256 hash

[petergaultney]

MD5 hashes aren't supported by pip, and SHA256 hashes should be preferred for other reasons as well.

However, it appears that poetry doesn't want to use/calculate the SHA256 hash for a package installed from a private repository.

All my other packages have the right type of hash embedded in the poetry.lock.

    {file = "vnxpy-3.10.0-py3-none-any.whl", hash = "sha256:5887fce95ca9ce304f86f7438b6a8d6b80d14895c8f3810fe6eb33b4b01c428c"},
]
warrant = [
    {file = "warrant-0.6.1-py2.py3-none-any.whl", hash = "sha256:a4099c566086be45d616ed4f58ed1567893ac74de125e201fc89c9023d8adf7d"},
    {file = "warrant-0.6.1.tar.gz", hash = "sha256:749bde7f775c077a64edfe21464654e0a39fc93dd76e27d5d2a61997b6dcaa0a"},
]
wcwidth = [
    {file = "wcwidth-0.1.7-py2.py3-none-any.whl", hash = "sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c"},
    {file = "wcwidth-0.1.7.tar.gz", hash = "sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e"},
]
wrapt = [
    {file = "wrapt-1.11.2.tar.gz", hash = "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1"},
]
xoipy = [
    {file = "xoipy-1.27.1-py3-none-any.whl", hash = "md5:d39b851928a9056177cf8922772ce0b0"},
    {file = "xoipy-1.27.1.tar.gz", hash = "md5:238aa209e50aca1f90ada7a126a10327"},
]

Note xoipy, which has md5s specified. The repository itself provides the SHA256 sums, though I have not yet found the code that actually pulls those down, so I can't confirm that poetry is receiving them. If/when I do, I will update this report.

[adawalli]

Note xoipy, which has md5s specified. The repository itself provides the SHA256 sums, though I have not yet found the code that actually pulls those down, so I can't confirm that poetry is receiving them. If/when I do, I will update this report.

Did you find any work around @petergaultney ? This is burning my team badly as well....

[robpob10]

I've been blocked by this problem too, and have had a look into it.

In my case, the private repo is hosted on jfrog artifactory, and the problem is ultimately caused by an artifactory bug. To briefly describe this what happens:

• To get PyPi hashes, poetry uses the hashes built into the data outputted by the PyPi API.
• eg, if you run curl https://pypi.org/simple/requests/, you'll see data that looks like requests-2.9.2-py2.py3-none-any.whl#sha256=22a8c72dfc7fc18db1aca6784e97a638e9d09abe2cd387be473f88bd6dcba22f - it has the sha256 available in the URL.
• Querying the api of PyPi hosted on jfrog artifactory however, gives you data that look like myproject-4.0.0-py3-none-any.whl#md5=01fd95237bsdhjkshe2cf869 - the inbuilt hash is in the md5 format (this is the jfrog artifactory bug), so that's what poetry takes.
• See here for the relevant poetry code.

Solutions:

• pipenv tackles this problem by streaming the file to compute the SHA256 (see _get_file_hash() and open_local_or_remote_file()) whenever the SHA256 is unavailable.
• If you want a workaround to using pip to install the wheels, just download the wheels using wget etc instead of pip, and do the checksum manually.

Next actions:

• If the poetry devs think that pipenv's compute-it-yourself hash solution is acceptable, I'd like to submit a pull request doing that for cases where the SHA256 is unavailable in the PyPi API output. Please let me know if you think this is a worthwhile approach.

[adawalli]

I recommend commenting on this https://www.jfrog.com/jira/browse/RTFACT-18495 ARTIFACTORY issue and voting - JFROG hasn't even responded, so it seems like it needs a bit more attention.

[thoward27]

I think it would be a really nice feature if poetry generated hashes when they weren't present. @robpob10 have you drafted anything up? I'd love to help move this forward

[cpvandehey]

I'd also be interested in helping this move forward as it seems to be a blocker in our suggested workflow with poetry.

[timorkal]

in my case I am using gemfury to store packages.
I am getting the md5 hash in the lock file, but the "poetry export" command refusing to export this type of hash.
Any chance to add this ability?

[jmahlik]

in my case I am using gemfury to store packages.
I am getting the md5 hash in the lock file, but the "poetry export" command refusing to export this type of hash.
Any chance to add this ability?

Similar issue here. Appears to be related to non pypi repos. Not sure exporting md5 would be useful since pip would refuse to install it with a md5 hash.

[jmahlik]

Is seems this could be a good use case for a plugin if it doesn't make its way in to core?

#3733

[matejsp]

Just for reference same issue with Nexus: https://issues.sonatype.org/browse/NEXUS-24127

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.