Resolve package hashes against pypi

Fixes #462 in combination with 2ed0eb33

- This also likely addresses the root cause behind #270
- Kenneth's fix for post-releases in 2ed0eb33 fixes #400

pipenv/utils.py

@@ -26,6 +26,10 @@ def shellquote(s):
         return "'" + s.replace("'", "'\\''") + "'"
 
 
+def clean_pkg_version(version):
+    return six.u(pep440_version(str(version))).replace('==', '')
+
+
 def resolve_deps(deps, sources=None, verbose=False, hashes=False):
 
     constraints = []
@@ -53,10 +57,18 @@ def resolve_deps(deps, sources=None, verbose=False, hashes=False):
 
     r = Resolver(constraints=constraints, repository=pypi)
     results = []
+    _hashes = r.resolve_hashes(r.resolve())
+    # convert to a dictionary indexed by package names instead of install req objects
+    resolved_hashes = {}
+    for req, _hash in _hashes.items():
+        resolved_hashes[pep423_name(req.name)] = {
+            'version': clean_pkg_version(req.specifier),
+            'hashes': list(_hash)
+        }
 
     for result in r.resolve():
         name = pep423_name(result.name)
-        version = six.u(pep440_version(str(result.specifier))).replace('==', '')
+        version = clean_pkg_version(result.specifier)
 
         if hashes:
             try:
@@ -66,6 +78,9 @@ def resolve_deps(deps, sources=None, verbose=False, hashes=False):
                     collected_hashes.append(release['digests']['sha256'])
 
                 collected_hashes = ['sha256:' + s for s in collected_hashes]
+                # Add pypi resolved hashes
+                if name in resolved_hashes and resolved_hashes[name]['version'] == version:
+                    collected_hashes.extend(resolved_hashes[name]['hashes'])
 
                 results.append({'name': name, 'version': version, 'hashes': collected_hashes})
             except ValueError:
@@ -346,3 +361,4 @@ def find_requirements(max_depth=3):
                     if os.path.isfile(r):
                         return r
         raise RuntimeError('No requirements.txt found!')
+