pip currently uses requirements.txt to specify dependencies; it can specify versions of packages but not hashes. The newer pipfile format can include hashes, which some users prefer. But pip doesn't yet support pipfile, so many users are blocked from using hashes to better secure their Python runtimes. We have made some progress toward standardizing an interoperable lockfile format, but we need to finish that design standardization and consensus-gathering work and implement it in pip, pipenv, and related tools. We'd need Python engineering work and project management to develop and deploy this.

Related: PEP 650 -- Specifying Installer Requirements for Python Projects

This has been picked up by volunteers, who've worked on this since Feb 2021 -- PEP 665 and https://discuss.python.org/t/11736/ is the current effort.

I think the "and implement" part still might require funding here?

Ok, I'll re-open and update the title.