diff --git a/hashin.py b/hashin.py
index 27ecc62..df9ea8d 100755
--- a/hashin.py
+++ b/hashin.py
@@ -246,7 +246,7 @@ def run_packages(
         maybe_restriction = "" if not restriction else "; {0}".format(restriction)
         new_lines = "{0}=={1}{2} \\\n".format(req, data["version"], maybe_restriction)
         padding = " " * 4
-        for i, release in enumerate(sorted(data["hashes"], key=lambda r: r["hash"])):
+        for i, release in enumerate(data["hashes"], key=lambda r: r["hash"]):
             new_lines += "{0}--hash={1}:{2}".format(padding, algorithm, release["hash"])
             if i != len(data["hashes"]) - 1:
                 new_lines += " \\"
@@ -707,8 +707,9 @@ def get_package_hashes(
         else:
             raise PackageError("No releases could be found for {0}".format(version))
 
-    hashes = list(
-        get_releases_hashes(releases=releases, algorithm=algorithm, verbose=verbose)
+    hashes = sorted(
+        get_releases_hashes(releases=releases, algorithm=algorithm, verbose=verbose),
+        key=lambda r: r["hash"]
     )
     return {"package": package, "version": version, "hashes": hashes}
 
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 0ba7f74..ff81cf3 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -2442,6 +2442,48 @@ def mocked_get(url, **options):
         hashin.get_package_hashes(package="uggamugga")
 
 
+def test_get_package_hashes_consistant_order(murlopen):
+    def mocked_get(url, **options):
+        if url == "https://pypi.org/pypi/hashin/json":
+            return _Response(
+                {
+                    "info": {"version": "0.10", "name": "hashin"},
+                    "releases": {
+                        "0.10": [
+                            {
+                                "url": "https://pypi.org/packages/3.3/p/hashin/hashin-0.10-py3-none-any.whl",
+                                "digests": {"sha256": "bbbbb"},
+                            },
+                            {
+                                "url": "https://pypi.org/packages/source/p/hashin/hashin-0.10.tar.gz",
+                                "digests": {"sha256": "ccccc"},
+                            },
+                            {
+                                "url": "https://pypi.org/packages/2.7/p/hashin/hashin-0.10-py2-none-any.whl",
+                                "digests": {"sha256": "aaaaa"},
+                            },
+                        ]
+                    },
+                }
+            )
+
+        raise NotImplementedError(url)
+
+    murlopen.side_effect = mocked_get
+
+    result = hashin.get_package_hashes(
+        package="hashin", version="0.10", algorithm="sha256"
+    )
+
+    expected = {
+        "package": "hashin",
+        "version": "0.10",
+        "hashes": [{"hash": "aaaaa"}, {"hash": "bbbbb"}, {"hash": "ccccc"}],
+    }
+
+    assert result == expected
+
+
 def test_with_extras_syntax(murlopen, tmpfile):
     """When you want to add the hashes of a package by using the
     "extras notation". E.g `requests[security]`.