The end result of that process, if you follow it, will be a set of 'requirements files' which can be given to pip to install from, and which will contain your entire dependency tree, fully resolved including all transitive dependencies-of-dependencies-of-dependencies (etc.), pinned to exact versions, and listing the expected hashes of the packages.
But really it ought to be: python -m pip install --require-hashes --no-deps --only-binary:all: -r requirements/app.txt
[
add
]
[
|
|
...
]