Backport fix for mismatching hash check

[pietrodn]

Backport #159 to poetry-core 1.0 as this is part of an important security fix.

See python-poetry/poetry#3885 and python-poetry/poetry#2422

I think that this fix exposes a preexisting bug in Poetry where poetry install fails with the following:

$ ~/git/poetry/.venv/bin/poetry install
Creating virtualenv tmp in /Users/pietro/tmp/.venv
Installing dependencies from lock file

Package operations: 1 install, 0 updates, 0 removals

  • Installing attrs (21.2.0): Failed

  AttributeError

  'Link' object has no attribute 'is_absolute'

  at ~/git/poetry/.venv/lib/python3.9/site-packages/poetry/core/packages/file_dependency.py:34 in __init__
       30│         self._base = base or Path.cwd()
       31│         self._full_path = path
       32│
       33│         #raise ValueError(type(path))
    →  34│         if not self._path.is_absolute():
       35│             try:
       36│                 self._full_path = self._base.joinpath(self._path).resolve()
       37│             except FileNotFoundError:
       38│                 raise ValueError("Directory {} does not exist".format(self._path))

I think that there is an underlying bug where an object that should be a Path is actually a Link, and that is exposed by the fact that the Package.files attribute gets cloned, and not lost as of now in Poetry 1.1.8.