Pip may record an invalid hash in cache entries

[sbidoul]

Description

In some circumstances, pip may record an invalid hash in the origin.json file in wheel cache entries.

This happens when an invalid hash is provided as URL fragment, together with a good hash provided with --hash.
In such cases pip does not validate the hash provided as URL fragment.
The cache logic however assumes such hash has been validated elsewhere in pip and records it without verifying it.

Expected behavior

We should probably compute a set of strong hash when generating origin.json.

Besides resolving this bug, this would also be more predictable, with known hash algorithms recorded in cache entries.

pip version

Since 22.2

Python version

any

OS

any

How to Reproduce

Create and install a requirements.txt like this:

simple @ https://github.com/pypa/pip/raw/23.0.1/tests/data/packages/simple-1.0.tar.gz#sha256=invalid \
  --hash sha256:393043e672415891885c9a2a0929b1af95fb866d6ca016b42d2e6ce53619b653

Notice the hash recorded in origin.json is invalid.

Output

No response

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[sbidoul]

I am not sure this behaviour of ignoring the link hash when a good --hash is provided is intentional or not.

Related:

• Refactor checking of hashes embedded in user-provided URLs #11923
• Don't trust link hash in direct URL dependencies #11938