Pip complains about inexact pinning with --require-hashes, but all versions are pinned with ==

[jmcarp]

Description

Hey, I'm running into a confusing behavior with pip, and I'm not sure whether it's a bug or if I'm doing something wrong. I made a simple case to reproduce the problem: I have a requirements.in file that includes botocore and urllib3[secure], and I'm compiling a lockfile at requirements.txt with pip-compile --generate-hashes. When I install from requirements.txt using --extra-index url, I get an error:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    urllib3<1.27,>=1.25.4 from https://pypi.<REDACTED>.com/simple/urllib3/urllib3-1.26.4-py2.py3-none-any.whl (from botocore==1.20.53->-r requirements.txt (line 10))

Every library in requirements.txt is pinned with "==". Also, I don't get an error if I don't use the private registry, or if I do use the private registry but drop "[secure]" from urllib3 in the lockfile. As far as I can tell, the wheels I'm downloading from the private registry and the usual pypi are identical. Any ideas about what's going on?

Expected behavior

Pip shouldn't fail on inexact pinning when all dependency versions are pinned with ==.

pip version

21.0.1

Python version

3.7.10

OS

macos

How to Reproduce

This is going to be hard to reproduce because the pypi index in question is private, but here goes:

• Add botocore and urllib3[secure] to requirements.in
• Lock requirements with pip-compile --generate-hashes
• Install with pip install -r requirements.txt --extra-index-url REDACTED

Output

$ pip-compile --generate-hashes --quiet
$ pip install -r requirements.txt --require-hashes --extra-index-url REDACTED
Looking in indexes: https://pypi.org/simple, REDACTED
Requirement already satisfied: botocore==1.20.53 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 9)) (1.20.53)
Requirement already satisfied: certifi==2020.12.5 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 13)) (2020.12.5)
Requirement already satisfied: cffi==1.14.5 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 17)) (1.14.5)
Requirement already satisfied: cryptography==3.4.7 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 56)) (3.4.7)
Requirement already satisfied: idna==3.1 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 72)) (3.1)
Requirement already satisfied: jmespath==0.10.0 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 76)) (0.10.0)
Requirement already satisfied: pycparser==2.20 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 80)) (2.20)
Requirement already satisfied: pyopenssl==20.0.1 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 84)) (20.0.1)
Requirement already satisfied: python-dateutil==2.8.1 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 88)) (2.8.1)
Requirement already satisfied: six==1.15.0 in /Users/josh.carp/.pyenv/versions/3.7.10/envs/locktest/lib/python3.7/site-packages (from -r requirements.txt (line 92)) (1.15.0)
Collecting urllib3[secure]==1.26.4
  Using cached urllib3-1.26.4-py2.py3-none-any.whl (153 kB)
Collecting urllib3<1.27,>=1.25.4
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    urllib3<1.27,>=1.25.4 from REDACTED/urllib3/urllib3-1.26.4-py2.py3-none-any.whl (from botocore==1.20.53->-r requirements.txt (line 9))

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[di]

This is a duplicate of #9644.