• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: MacOS Monterey (12.5.1)
• Poetry version: 1.2.0

Issue

After upgrading from poetry 1.1.15 to 1.2.0, I can no longer poetry install in my dev environment - it fails on a single package. I've investigated and it looks like the problem is that with the new poetry, only SHA256 hashes are stored for packages in poetry.lock, even when the serving PyPi repository only supplies MD5 hashes.

Somehow, even though the PyPi repo serves MD5 (only) hashes, the new poetry stores a SHA256 hash in poetry.lock - then when I try to do poetry install, the MD5 hash from the retrieved package of course doesn't match the hash in the lock file, so I get:

Retrieved digest for link sirona-xyz-utils-0.10.2.tar.gz(md5:XXXXX) not in poetry.lock metadata ['sha256:YYYYY', 'sha256:ZZZZZ']

  at ~/Library/Application Support/pypoetry/venv/lib/python3.7/site-packages/poetry/installation/chooser.py:145 in _get_links
      141│             selected_links.append(link)
      142│
      143│         if links and not selected_links:
      144│             raise RuntimeError(
    → 145│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
      146│                 f" metadata {hashes}"
      147│             )
      148│
      149│         return selected_links

(I've obscured the actual hashes and package-name above).

In our case, the PyPi repo server is Nexus, and not the very latest Nexus which does serve SHA256 hashes - that was only released this month, Aug 2022.