Fix --require-hashes trusting link hashes

When a direct URL with hash is provided as a dependency, --require-hash incorrectly considered the link hash as trusted.
author: Stéphane Bidoul <stephane.bidoul@gmail.com> 2023-04-08 18:57:37 +0200
committer: Stéphane Bidoul <stephane.bidoul@gmail.com> 2023-04-10 13:21:00 +0200
commit: f5f0302516e4adc5b8541832da803784d44b0a0f (patch)
tree: 8a361511f2b7b77e5c768e651b5f061b66489f76 /src
parent: 0ffc54dca3dd0f64eb9498a37908ae756294da7d (diff)
download: pip-f5f0302516e4adc5b8541832da803784d44b0a0f.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py
index baa671638..e2353f032 100644
--- a/src/pip/_internal/req/req_install.py
+++ b/src/pip/_internal/req/req_install.py
@@ -287,7 +287,12 @@ class InstallRequirement:
 
         """
         good_hashes = self.hash_options.copy()
-        link = self.link if trust_internet else self.original_link
+        if trust_internet:
+            link = self.link
+        elif self.original_link and self.user_supplied:
+            link = self.original_link
+        else:
+            link = None
         if link and link.hash:
             good_hashes.setdefault(link.hash_name, []).append(link.hash)
         return Hashes(good_hashes)
author	Stéphane Bidoul <stephane.bidoul@gmail.com>	2023-04-08 18:57:37 +0200
committer	Stéphane Bidoul <stephane.bidoul@gmail.com>	2023-04-10 13:21:00 +0200
commit	f5f0302516e4adc5b8541832da803784d44b0a0f (patch)
tree	8a361511f2b7b77e5c768e651b5f061b66489f76 /src
parent	0ffc54dca3dd0f64eb9498a37908ae756294da7d (diff)
download	pip-f5f0302516e4adc5b8541832da803784d44b0a0f.tar.gz