Terraform "Failed to install provider" checksum mismatch in CI
init verifies each downloaded provider against the hashes in .terraform.lock.hcl. When the fetched package matches no recorded checksum, init aborts to protect supply-chain integrity rather than installing an unverified plugin.
What this error means
init fails with "Error: Failed to install provider" and "the current package ... doesn't match any of the checksums recorded in the dependency lock file".
Error: Failed to install provider
Error while installing hashicorp/aws v5.40.0: the current package for
registry.terraform.io/hashicorp/aws 5.40.0 doesn't match any of the checksums
previously recorded in the dependency lock file; ...Common causes
The lock file has no hash for this platform
The lock was generated on macOS or Linux only, so a different CI OS/arch has no matching checksum and init rejects the package.
A mirror served a different artifact
A provider mirror or proxy returned a package whose hash differs from what the lock recorded, so verification fails.
How to fix it
Record hashes for all CI platforms
- Run providers lock with every platform your pipelines use.
- Commit the updated .terraform.lock.hcl.
- Re-run init so the platform hash is now present.
terraform providers lock \
-platform=linux_amd64 \
-platform=darwin_arm64Re-upgrade against a trusted source
If a mirror served a bad artifact, re-resolve from the canonical registry and refresh the recorded hashes.
terraform init -upgradeHow to prevent it
- Generate lock hashes for every OS/arch your CI runs on.
- Commit .terraform.lock.hcl so checksums are pinned and reviewed.
- Point provider downloads at one trusted registry or mirror.