Obey --require-hashes option in requirements files.

Removed the mention of "package index options" in the docs, because they don't all fit that category anymore. Not even --no-binary and --only-binary do; they're "install options".

docs/reference/pip_install.rst

@@ -101,7 +101,7 @@ and the newline following it is effectively ignored.
 
 Comments are stripped *before* line continuations are processed.
 
-Additionally, the following Package Index Options are supported:
+The following options are supported:
 
   *  :ref:`-i, --index-url <--index-url>`
   *  :ref:`--extra-index-url <--extra-index-url>`
@@ -109,6 +109,7 @@ Additionally, the following Package Index Options are supported:
   *  :ref:`-f, --find-links <--find-links>`
   *  :ref:`--no-binary <install_--no-binary>`
   *  :ref:`--only-binary <install_--only-binary>`
+  *  :ref:`--require-hashes <--require-hashes>`
 
 For example, to specify :ref:`--no-index <--no-index>` and 2 :ref:`--find-links <--find-links>` locations:
 
@@ -486,6 +487,8 @@ against any requirement not only checks that hash but also activates a global
 * ``--egg`` is disallowed, because it delegates installation of dependencies
   to setuptools, giving up pip's ability to enforce any of the above.
 
+.. _`--require-hashes`:
+
 Hash-checking mode can be forced on with the ``--require-hashes`` command-line
 option::
 

pip/basecommand.py

@@ -280,6 +280,9 @@ class RequirementCommand(Command):
                     wheel_cache=wheel_cache):
                 found_req_in_file = True
                 requirement_set.add_requirement(req)
+        # If --require-hashes was a line in a requirements file, tell
+        # RequirementSet about it:
+        requirement_set.require_hashes = options.require_hashes
 
         if not (args or options.editables or found_req_in_file):
             opts = {'name': name}

pip/req/req_file.py

@@ -46,6 +46,7 @@ SUPPORTED_OPTIONS = [
     cmdoptions.pre,
     cmdoptions.process_dependency_links,
     cmdoptions.trusted_host,
+    cmdoptions.require_hashes,
 ]
 
 # options to be passed to requirements
@@ -123,6 +124,7 @@ def process_line(line, filename, line_number, finder=None, comes_from=None,
     affect the finder.
 
     :param constraint: If True, parsing a constraints file.
+    :param options: OptionParser options that we may update
     """
     parser = build_parser()
     defaults = parser.get_default_values()
@@ -187,6 +189,10 @@ def process_line(line, filename, line_number, finder=None, comes_from=None,
         for req in parser:
             yield req
 
+    # percolate hash-checking option upward
+    elif opts.require_hashes:
+        options.require_hashes = opts.require_hashes
+
     # set finder options
     elif finder:
         if opts.allow_external:

pip/req/req_set.py

@@ -190,7 +190,7 @@ class RequirementSet(object):
             wheel_download_dir = normalize_path(wheel_download_dir)
         self.wheel_download_dir = wheel_download_dir
         self._wheel_cache = wheel_cache
-        self._require_hashes = require_hashes
+        self.require_hashes = require_hashes
         # Maps from install_req -> dependencies_of_install_req
         self._dependencies = defaultdict(list)
 
@@ -331,7 +331,7 @@ class RequirementSet(object):
         # If any top-level requirement has a hash specified, enter
         # hash-checking mode, which requires hashes from all.
         root_reqs = self.unnamed_requirements + self.requirements.values()
-        require_hashes = (self._require_hashes or
+        require_hashes = (self.require_hashes or
                           any(req.has_hash_options for req in root_reqs))
         if require_hashes and self.as_egg:
             raise InstallationError(

tests/unit/test_req.py

@@ -6,6 +6,7 @@ import tempfile
 import pytest
 
 from mock import Mock, patch, mock_open
+from pip.commands.install import InstallCommand
 from pip.exceptions import (PreviousBuildDirError, InvalidWheelFilename,
                             UnsupportedWheel)
 from pip.download import path_to_url, PipSession
@@ -16,7 +17,7 @@ from pip.req.req_file import process_line
 from pip.req.req_install import parse_editable
 from pip.utils import read_text_file
 from pip._vendor import pkg_resources
-from tests.lib import assert_raises_regexp
+from tests.lib import assert_raises_regexp, requirements_file
 
 
 class TestRequirementSet(object):
@@ -125,6 +126,21 @@ class TestRequirementSet(object):
             reqset.prepare_files,
             finder)
 
+    def test_missing_hash_with_require_hashes_in_reqs_file(self, data, tmpdir):
+        """--require-hashes in a requirements file should make its way to the
+        RequirementSet.
+        """
+        req_set = self.basic_reqset(require_hashes=False)
+        session = PipSession()
+        finder = PackageFinder([data.find_links], [], session=session)
+        command = InstallCommand()
+        with requirements_file('--require-hashes', tmpdir) as reqs_file:
+            options, args = command.parse_args(['-r', reqs_file])
+            command.populate_requirement_set(
+                req_set, args, options, finder, session, command.name,
+                wheel_cache=None)
+        assert req_set.require_hashes
+
     def test_unsupported_hashes(self, data):
         """VCS and dir links should raise errors when --require-hashes is
         on.