Hash comparison is case-sensitive

[zooba]

Description

Azure Artifacts made a change (which they're reverting) to normalise hashes to uppercase. This revealed that pip is doing a case-sensitive comparison on hashes from URLs:

Collecting cryptography
  Downloading https://pkgs.dev.azure.com/***/_packaging/***/pypi/download/cryptography/42.0.7/cryptography-42.0.7-cp39-abi3-win32.whl (2.4 MB)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    cryptography from https://pkgs.dev.azure.com/***/_packaging/***/pypi/download/cryptography/42.0.7/cryptography-42.0.7-cp39-abi3-win32.whl#sha256=E6B79D0ADB01AAE87E8A44C2B64BC3F3FE59515280E00FB6D57A7267A2583CDA (from -r windows-cryptography/test-requirements.txt (line 4)):
        Expected sha256 E6B79D0ADB01AAE87E8A44C2B64BC3F3FE59515280E00FB6D57A7267A2583CDA
             Got        e6b79d0adb01aae87e8a44c2b64bc3f3fe59515280e00fb6d57a7267a2583cda

(There's no requirements file involved here - the hash is coming from the URL fragment and being compared to the package.)

Expected behavior

Hash comparisons that differ only by case should be allowed. PEP 503 specifies the case for the hash name (the sha256= bit), but says nothing about the case of the hash value.

As hexadecimal is case-insensitive, it's fair to expect a comparison to be case-insensitive.

pip version

24

Python version

3.12

OS

Windows

How to Reproduce

1. Copy the URL to any download file on PyPI
2. Copy the hash from the PyPI page, make it upper case.
3. pip install <url>#sha256=<hash>

For example:

pip install https://files.pythonhosted.org/packages/78/63/66c03eb51f0d241862083deb3f17ab5fce08cf6b347db7887bcb4d1a194e/cryptography-42.0.7.tar.gz#sha256=ECBFBC00BF55888EDDA9868A4CF927205DE8499E7FABE6C050322298382953F2

Output

D:\> pip install https://files.pythonhosted.org/packages/78/63/66c03eb51f0d241862083deb3f17ab5fce08cf6b347db7887bcb4d1a194e/cryptography-42.0.7.tar.gz#sha256=ECBFBC00BF55888EDDA9868A4CF927205DE8499E7FABE6C050322298382953F2
Collecting https://files.pythonhosted.org/packages/78/63/66c03eb51f0d241862083deb3f17ab5fce08cf6b347db7887bcb4d1a194e/cryptography-42.0.7.tar.gz#sha256=ECBFBC00BF55888EDDA9868A4CF927205DE8499E7FABE6C050322298382953F2
  Downloading cryptography-42.0.7.tar.gz (671 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 671.2/671.2 kB 3.8 MB/s eta 0:00:00
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    https://files.pythonhosted.org/packages/78/63/66c03eb51f0d241862083deb3f17ab5fce08cf6b347db7887bcb4d1a194e/cryptography-42.0.7.tar.gz#sha256=ECBFBC00BF55888EDDA9868A4CF927205DE8499E7FABE6C050322298382953F2:
        Expected sha256 ECBFBC00BF55888EDDA9868A4CF927205DE8499E7FABE6C050322298382953F2
             Got        ecbfbc00bf55888edda9868a4cf927205de8499e7fabe6c050322298382953f2

Code of Conduct

• I agree to follow the PSF Code of Conduct.