Skip to content

Instantly share code, notes, and snippets.

Last active September 30, 2022 18:57
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
The missing `pip integrity` command
#!/usr/bin/env python3
# The missing 'pip integrity' command.
# This verifies the correctness of an unpacked pip package
# by examining the file hashes in the 'RECORD' file.
# spec at
import sys
import base64
import hashlib
from importlib.metadata import files
def integrity(package):
valid = True
for content in files(package):
if content.hash:
H = None
H =
size = 0
with open(content.locate(), "rb") as fd:
while True:
B =
size += len(B)
if not B: break
H = H.digest()
# wheel stores hashes in unpadded base64, so convert to that
H = base64.urlsafe_b64encode(H).decode().rstrip("=")
except Exception:
if H == content.hash.value:
print(f"{content.locate()}: passed")
print(f"{content.locate()}: failed")
valid = False
return valid
if __name__ == '__main__':
valid = True
for file in sys.argv[1:]:
if not integrity(file):
valid = False
if not valid:
raise SystemExit(1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment