Skip to content

poetry 1.2.0 can't install packages from private pypi servers supporting only MD5 hashes #6301

@jclerman

Description

@jclerman
  • I am on the latest Poetry version.
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).
  • OS version and name: MacOS Monterey (12.5.1)
  • Poetry version: 1.2.0

Issue

After upgrading from poetry 1.1.15 to 1.2.0, I can no longer poetry install in my dev environment - it fails on a single package. I've investigated and it looks like the problem is that with the new poetry, only SHA256 hashes are stored for packages in poetry.lock, even when the serving PyPi repository only supplies MD5 hashes.

Somehow, even though the PyPi repo serves MD5 (only) hashes, the new poetry stores a SHA256 hash in poetry.lock - then when I try to do poetry install, the MD5 hash from the retrieved package of course doesn't match the hash in the lock file, so I get:

Retrieved digest for link sirona-xyz-utils-0.10.2.tar.gz(md5:XXXXX) not in poetry.lock metadata ['sha256:YYYYY', 'sha256:ZZZZZ']

  at ~/Library/Application Support/pypoetry/venv/lib/python3.7/site-packages/poetry/installation/chooser.py:145 in _get_links
      141│             selected_links.append(link)
      142│
      143│         if links and not selected_links:
      144│             raise RuntimeError(
    → 145│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
      146│                 f" metadata {hashes}"
      147│             )
      148│
      149│         return selected_links

(I've obscured the actual hashes and package-name above).

In our case, the PyPi repo server is Nexus, and not the very latest Nexus which does serve SHA256 hashes - that was only released this month, Aug 2022.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working as expectedstatus/triageThis issue needs to be triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions