Strange dependency specifier behavior when using export

[alexifm]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: macos 10.15.7
• Poetry version: 1.1.4

Issue

This is related to #30 and comes from this comment: https://github.com/python-poetry/poetry/issues/3160#issuecomment-726236225

Now though, I have a clear example of what's happening in the requirements.txt file that is breaking the install.

Here is the relevant portion of a boilerplate pyproject.toml file from poetry new

[tool.poetry.dependencies]
python = "~3.8"

[tool.poetry.dev-dependencies]
moto = "1.3.14"
python-semantic-release = "^6.4"
# cryptography = "^3.2.1"

Here is the relevant output of poetry export --dev --format=requirements.txt

cryptography==3.2.1; python_version >= "3.6" and python_full_version < "3.0.0" and sys_platform == "linux" or sys_platform == "linux" and python_version >= "3.6" and python_full_version >= "3.5.0" \
    --hash=sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7 \
...

If I create a new identical clean virtual environment (replicating a pipeline setup that uses nox or tox) and run pip install --constraint=requirements.txt moto, I will get something like this:

$ pip install --constraint=requirements.txt moto
...
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    cryptography>=2.3.0 from https://files.pythonhosted.org/packages/c4/78/6c28c899181c395d8e07778110caff21248ba97774e567e7f7895951d92e/cryptography-3.2.1-cp35-abi3-macosx_10_10_x86_64.whl#sha256=bd717aa029217b8ef94a7d21632a3bb5a4e7218a4513d2521c2a2fd63011e98b (from moto==1.3.14->-c requirements.txt (line 387))

If I uncomment the cryptography dependency, the relevant line in the requirements.txt file will become:

cryptography==3.2.1; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.5.0") \
    --hash=sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7 \
...

which is a dependency pattern that looks much nicer and more sane. And the pip install ends up working fine.

Alternatively, if I remove the dependency on python-semantic-release and leave cryptography commented out, this also works. This problem appears to come from some combination a) the dependency solve between these two packages that use cryptography directly or through another dependency, b) the writing of the lock file, and c) the exporting of the lock file to requirements.

[dimbleby]

export today gives

cryptography==37.0.2 ; python_version >= "3.8" and python_version < "3.9" \
    --hash=sha256:093cb351031656d3ee2f4fa1be579a8c69c754cf874206be1d4cf3b542042804 \
...

Clearly things have moved on since cryptography 3.2.1 was the latest, without the original lockfile it's probably too hard to reproduce the exact setup reported. However this looks very clean,

Then

$ pip install --constraint=requirements.txt moto
Collecting moto
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    moto from https://files.pythonhosted.org/packages/1e/84/6e115b45be00273c7cfad5b9506b7c8a78bc7d2a11afe72517a7f6d01289/moto-1.3.14-py2.py3-none-any.whl#sha256=2b3fa22778504b45715868cad95ad458fdea7227f9005b12e522fc9c2ae0cabc

which is fair enough, that command line indeed does not provide a hash for moto.

So far as I can tell, there's no problem remaining here.