canonical · lengau · Jul 10, 2024 · Jul 2, 2024 · Jul 3, 2024 · Jul 9, 2024
diff --git a/charmcraft/charm_builder.py b/charmcraft/charm_builder.py
@@ -41,8 +41,9 @@
     validate_strict_dependencies,
 )
 
-MINIMUM_PIP_VERSION = (23, 0)
-KNOWN_GOOD_PIP_URL = "https://files.pythonhosted.org/packages/ba/19/e63fb4e0d20e48bd2167bb7e857abc0e21679e24805ba921a224df8977c0/pip-23.2.1.tar.gz"
+MINIMUM_PIP_VERSION = (24, 1)
+KNOWN_GOOD_PIP_URL = "https://files.pythonhosted.org/packages/c0/d0/9641dc7b05877874c6418f8034ddefc809495e65caa14d38c7551cd114bb/pip-24.1.1.tar.gz"
+KNOWN_GOOD_PIP_HASH = "sha256:5aa64f65e1952733ee0a9a9b1f52496ebdb3f3077cc46f80a16d983b58d1180a"
 
 
 def relativise(src, dst):
@@ -237,7 +238,7 @@ def _install_dependencies(self, staging_venv_dir):
             # common charm dependencies (e.g. ops). Resolve this by updating to a
             # known working version of pip.
             if get_pip_version(pip_cmd) < MINIMUM_PIP_VERSION:
-                _process_run([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}"])
+                _process_run([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}", f"--hash={KNOWN_GOOD_PIP_HASH}"])
 
         with instrum.Timer("Installing all dependencies"):
             if self.strict_dependencies:

diff --git a/tests/test_charm_builder.py b/tests/test_charm_builder.py
@@ -27,6 +27,7 @@
 
 from charmcraft import charm_builder, const
 from charmcraft.charm_builder import (
+    KNOWN_GOOD_PIP_HASH,
     KNOWN_GOOD_PIP_URL,
     CharmBuilder,
     _process_run,
@@ -610,7 +611,7 @@ def test_build_dependencies_virtualenv_simple(tmp_path, assert_output):
 
     assert mock.mock_calls == [
         call(["python3", "-m", "venv", str(tmp_path / const.STAGING_VENV_DIRNAME)]),
-        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}"]),
+        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}", f"--hash={KNOWN_GOOD_PIP_HASH}"]),
         call([pip_cmd, "install", f"--requirement={reqs_file}"]),
     ]
 
@@ -649,7 +650,7 @@ def test_build_dependencies_virtualenv_multiple(tmp_path, assert_output):
     pip_cmd = str(charm_builder._find_venv_bin(tmp_path / const.STAGING_VENV_DIRNAME, "pip"))
     assert mock.mock_calls == [
         call(["python3", "-m", "venv", str(tmp_path / const.STAGING_VENV_DIRNAME)]),
-        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}"]),
+        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}", f"--hash={KNOWN_GOOD_PIP_HASH}"]),
         call(
             [
                 pip_cmd,
@@ -712,7 +713,7 @@ def test_build_dependencies_virtualenv_packages(tmp_path, assert_output):
 
     assert mock.mock_calls == [
         call(["python3", "-m", "venv", str(tmp_path / const.STAGING_VENV_DIRNAME)]),
-        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}"]),
+        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}", f"--hash={KNOWN_GOOD_PIP_HASH}"]),
         call([pip_cmd, "install", "--no-binary=pkg1,pkg2", "pkg1", "pkg2"]),
     ]
 
@@ -747,7 +748,7 @@ def test_build_dependencies_virtualenv_binary_packages(tmp_path, assert_output):
 
     assert mock.mock_calls == [
         call(["python3", "-m", "venv", str(tmp_path / const.STAGING_VENV_DIRNAME)]),
-        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}"]),
+        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}", f"--hash={KNOWN_GOOD_PIP_HASH}"]),
         call([pip_cmd, "install", "pkg1", "pkg2"]),
     ]
 
@@ -788,7 +789,7 @@ def test_build_dependencies_virtualenv_all(tmp_path, assert_output):
 
     assert mock.mock_calls == [
         call(["python3", "-m", "venv", str(tmp_path / const.STAGING_VENV_DIRNAME)]),
-        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}"]),
+        call([pip_cmd, "install", f"pip@{KNOWN_GOOD_PIP_URL}", f"--hash={KNOWN_GOOD_PIP_HASH}"]),
         call(
             [
                 pip_cmd,