The ways I have seen this issue solved is with file hashing (typically via a requirements.txt file), or a controlled supply chain that is exposed via its own package server.
And as for option 1, see How should a lockfile PEP (665 successor) look like? where a potential lock file spec is being discussed.