"hash" value in file direct_url.json uses incorrect separator

[chopeen]

• Poetry version: 1.3.2

• Python version: 3.8.16

• OS version and name: Ubuntu 20.04.5 LTS (Focal Fossa)

• pyproject.toml: https://gist.github.com/chopeen/ab18e5490fad88698ac6ed2dd5ba4435

• I am on the latest stable Poetry version, installed using a recommended method.

• I have searched the issues of this repo and believe that this is not a duplicate.

• I have consulted the FAQ and blog for any relevant entries or release notes.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

After running poetry install, there is a file direct_url.json under en_core_web_sm-3.5.0.dist-info, with the following contents (below I formatted it for readability):

{
  "url": "https://github.com/explosion/spacy-models/releases/download/en_core_web_sm-3.5.0/en_core_web_sm-3.5.0.tar.gz",
  "archive_info": {
    "hash": "sha256:63d38fecdd4290635c7af4d4f6da50902bdc6c1732ce416b55c2b76c4b0c4626"
  }
}

The colon : separator after sha256 is does not comply with the PyPA spec:

A deprecated hash key (type string) MAY be present for backwards compatibility purposes, with value <hash-algorithm>=<expected-hash>.

It should be equals sign.

Because of that issue, pip v23.0 crashes when trying to list packages in a Poetry environment that contains archives installed from URL - see pypa/pip#11773 for details.

[dimbleby]

diff --git a/src/poetry/installation/executor.py b/src/poetry/installation/executor.py
index 0496a5f8..e5582413 100644
--- a/src/poetry/installation/executor.py
+++ b/src/poetry/installation/executor.py
@@ -798,7 +798,8 @@ class Executor:
         archive_info = {}

         if package.name in self._hashes:
-            archive_info["hash"] = self._hashes[package.name]
+            algorithm, value = self._hashes[package.name].split(":")
+            archive_info["hashes"] = {algorithm: value}

         reference = {"url": package.source_url, "archive_info": archive_info}

(and similar a few lines down in _create_file_url_reference)

probably, if anyone wants to put together a merge request and drive this through.

The number of testcases that fail on making that change - zero - suggests a gap that should probably be filled at the same time (which I am too lazy to fill myself!)

[chopeen]

Thank for the hint @dimbleby!

I have just submitted PR #7475.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.