Skip to content
Latchkey

Dockerfile apt-get "Hash Sum mismatch" in CI

apt downloaded a package index whose checksum does not match the hash recorded in the repository Release file. This is a stale or inconsistent index, not a signing-key problem.

What this error means

A RUN apt-get update step fails with "E: Failed to fetch ... Hash Sum mismatch" followed by "E: Some index files failed to download. They were ignored, or old ones used instead."

docker build
E: Failed to fetch http://deb.debian.org/debian/dists/bookworm/main/binary-amd64/Packages  Hash Sum mismatch
   Hashes of expected file:
    - SHA256:...
   Hashes of received file:
    - SHA256:...
E: Some index files failed to download. They were ignored, or old ones used instead.

Common causes

A stale apt cache in a reused layer

An earlier cached layer carries an out-of-date /var/lib/apt/lists, so the index no longer matches the current Release hashes.

A mirror mid-sync or a caching proxy

A mirror caught between syncs, or an HTTP proxy or CDN serving stale index files, returns content that fails the hash check.

How to fix it

Clear the lists and update fresh

Remove the cached index before updating so apt fetches a consistent set in one pass.

Dockerfile
RUN rm -rf /var/lib/apt/lists/* \
 && apt-get update

Bypass a bad proxy or pin a stable mirror

  1. Disable or skip a caching proxy that serves stale indexes.
  2. Point apt at a single known-good mirror for your region.
  3. Re-run; a transient mirror sync usually clears on retry.

How to prevent it

  • Do not cache /var/lib/apt/lists between CI builds.
  • Use a consistent, well-synced mirror for apt.
  • Avoid a caching HTTP proxy in front of apt index downloads.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →