Dockerfile apt-get "Hash Sum mismatch" in CI
apt downloaded a package index whose checksum does not match the hash recorded in the repository Release file. This is a stale or inconsistent index, not a signing-key problem.
What this error means
A RUN apt-get update step fails with "E: Failed to fetch ... Hash Sum mismatch" followed by "E: Some index files failed to download. They were ignored, or old ones used instead."
E: Failed to fetch http://deb.debian.org/debian/dists/bookworm/main/binary-amd64/Packages Hash Sum mismatch
Hashes of expected file:
- SHA256:...
Hashes of received file:
- SHA256:...
E: Some index files failed to download. They were ignored, or old ones used instead.Common causes
A stale apt cache in a reused layer
An earlier cached layer carries an out-of-date /var/lib/apt/lists, so the index no longer matches the current Release hashes.
A mirror mid-sync or a caching proxy
A mirror caught between syncs, or an HTTP proxy or CDN serving stale index files, returns content that fails the hash check.
How to fix it
Clear the lists and update fresh
Remove the cached index before updating so apt fetches a consistent set in one pass.
RUN rm -rf /var/lib/apt/lists/* \
&& apt-get updateBypass a bad proxy or pin a stable mirror
- Disable or skip a caching proxy that serves stale indexes.
- Point apt at a single known-good mirror for your region.
- Re-run; a transient mirror sync usually clears on retry.
How to prevent it
- Do not cache
/var/lib/apt/listsbetween CI builds. - Use a consistent, well-synced mirror for apt.
- Avoid a caching HTTP proxy in front of apt index downloads.