Since version 8.0 (released a week ago), pip can check downloaded package archives against local hashes to protect against remote tampering. To verify a package against one or more hashes, add the hashes at the end of your requirements.txt files:
FooProject==1.2 --hash:sha256=2cf24dba5fb0a30e26e83b2ac5b9e29e \ --hash:sha256=486ea46224d1bb4fb680f34f7c9ad96a
Requires.io is now compatible with this feature, as you can see for instance on this project: mozilla/kuma.
A big thank to jezdez for notifying us of this new feature of pip!