Support --hash on the command line

[erikrose]

#3137 supports specifying package hashes using --hash in requirements files. The next step is to support --hash on the command line so, both for consistency and for the convenience of not having to make a temporary requirements file just to install a package while checking against a hash.

A prerequisite to this is probably to change from optparse to click, which supports the interleaving of options and arguments on the command line. @dstufft mentioned an interested in making this switch at one point. The intent is for this to work:

pip install foo==1.0 --hash=sha256:hash_for_foo12345 \
            bar==2.0 --hash=sha256:hash_for_bar12345 --hash=sha256:another_hash_for_bar12345

[pradyunsg]

Linking with #4659.

[edmorley]

Is switching from optparse to click still a prerequisite for this?

[pfmoore]

What is necessary is to have an option structure that is supported by our command line parser. The proposed structure needs to interleave non-option arguments and options, which optparse doesn't support. If you want to propose a different UI, which works with optparse, then switching to click might no longer be a prerequisite.

But personally, I can't think of any UI that wouldn't be clumsy here. The UI proposed by the OP here strikes me as being "less bad" rather than actually good. And given that I don't think the arguments for needing this feature are very strong in the first place, I'm not in favour of a bad UI for a not-very-useful feature...

[Ablu]

Workaround in some cases can be to use an anonymous pipe to "fake" a requirements.txt:

pip install --require-hashes -r <(echo 'uv==0.6.11 --hash=sha256:6f3c2adb80f0b93ad312daff7ebb1bf4b26456d7d35a1687827ed03f11d238d7')

[tested with bash]