pip freeze with a hash

• Pip version: 9.0.1
• Python version: 3.5.4
• Operating system: Debian / PureOS

Description:

User story: I am a Python developer with an existing requirements.txt file. I want to add hashes to the file, so that future installations are more secure.

What I’ve run:

At the moment I need to:

• Locate the package.tar.gz or package.whl
• Run pip hash /path/to/package
• Copy the result into requirements.txt
• Repeat for every package

It would be great if instead I could:

• Run pip freeze --hash
• Get pip-formatted output with all package names and their hashes
• Copy the result into requirements.txt

Today’s solution:

Pipfile is a replacement for requirements.txt that includes hashes in a file called Pipfile.lock.

pipenv is a tool for managing your virtualenv based on Pipfile, including checks against the hashes defined in Pipfile.lock. (It can also convert a requirements.txt file.)

Suggested solution:

Supporting Pipfile at the pip layer (rather than a higher-level tool) is on the PyPA roadmap, see https://github.com/pypa/pipfile#pip-integration-eventual :

pip will grow a new command line option, -p / --pipfile to install the versions as specified in a Pipfile, similar to its existing -r / --requirement argument for installing requirements.txt files. … To manually update the Pipfile.lock:

$ pip freeze -p different_pipfile different_pipfile.lock (73d81f) written to disk.

The implication is that this is the preferred solution to supporting hashes (rather than adding them to requirements.txt or pip freeze). The current status “Deferred till PR” (see this ticket). See also https://github.com/pypa/pip/issues/6925