Download source regression in 10.25

[stumpylog]

Issue description

When installing packages from the same lock file, 10.25 will fail with hash check error, while 10.12 will succeed.

Expected result

Both should install the packages.

Actual result

Based on what I can tell, the lockfile includes the SHAs for the .whl and the .tar.gz from PyPi. However, it actually downloads the wheel from PiWheels instead, which has a different SHA, not listed in the lock file.

So it's kind these steps happening

1. The index listed in the Pipfile.lock is pypi (ref)
2. The SHAs are from PyPi
3. The download happens from PiWheels (ref)

[pipenv.exceptions.InstallError]:     asgiref==3.5.2 from https://www.piwheels.org/simple/asgiref/asgiref-3.5.2-py3-none-any.whl#sha256=dda3f0b6b921471f50c266c63f0a8a6eb2c65e66359915db18b69b8d629ca594 (from -r /tmp/pipenv-yap_1oy1-requirements/pipenv-u0qmzuvp-hashed-reqs.txt (line 1)):
[pipenv.exceptions.InstallError]:         Expected sha256 1d2880b792ae8757289136f1db2b7b99100ce959b2aa57fd69dab783d05afac4
[pipenv.exceptions.InstallError]:         Expected     or 4a29362a6acebe09bf1d6640db38c1dc3d9217c68e6f9f6204d72667fc19a424
[pipenv.exceptions.InstallError]:              Got        dda3f0b6b921471f50c266c63f0a8a6eb2c65e66[35](https://github.com/stumpylog/pipenv-issue-repro/actions/runs/3332756300/jobs/5513993154#step:5:36)9915db18b69b8d629ca594

Steps to replicate

I threw together a basic repo here: https://github.com/stumpylog/pipenv-issue-repro

---

Please run $ pipenv --support, and paste the results here. Don't put backticks (`) around it! The output already contains Markdown formatting.

If you're on macOS, run the following:

$ pipenv --support | pbcopy

If you're on Windows, run the following:

> pipenv --support | clip

If you're on Linux, run the following:

$ pipenv --support | xclip

[matteius]

I am not sure what is causing this, but I can confirm that generating the lock file on the prior versions and the current version yields the same lock file, but pip itself (which was upgraded to latest 22.3) is rejecting the hashes and expecting a different hash on the latest version. Updating the lock file does not add the expected hash, so we are looking at a bug/regression of some kind.

[matteius]

Ah well I got somewhere at least -- the issue is that its trying to install from the wrong index and getting a different hash. When I remove from the lock file:

            {
                "name": "piwheels",
                "url": "https://www.piwheels.org/simple",
                "verify_ssl": true
            }

then it installs fine -- it seems something is not working right with index restricted packages anymore.