Skip to content
Latchkey

Terraform "Failed to install provider" checksum mismatch in CI

init verifies each downloaded provider against the hashes in .terraform.lock.hcl. When the fetched package matches no recorded checksum, init aborts to protect supply-chain integrity rather than installing an unverified plugin.

What this error means

init fails with "Error: Failed to install provider" and "the current package ... doesn't match any of the checksums recorded in the dependency lock file".

Terraform
Error: Failed to install provider

Error while installing hashicorp/aws v5.40.0: the current package for
registry.terraform.io/hashicorp/aws 5.40.0 doesn't match any of the checksums
previously recorded in the dependency lock file; ...

Common causes

The lock file has no hash for this platform

The lock was generated on macOS or Linux only, so a different CI OS/arch has no matching checksum and init rejects the package.

A mirror served a different artifact

A provider mirror or proxy returned a package whose hash differs from what the lock recorded, so verification fails.

How to fix it

Record hashes for all CI platforms

  1. Run providers lock with every platform your pipelines use.
  2. Commit the updated .terraform.lock.hcl.
  3. Re-run init so the platform hash is now present.
Terminal
terraform providers lock \
  -platform=linux_amd64 \
  -platform=darwin_arm64

Re-upgrade against a trusted source

If a mirror served a bad artifact, re-resolve from the canonical registry and refresh the recorded hashes.

Terminal
terraform init -upgrade

How to prevent it

  • Generate lock hashes for every OS/arch your CI runs on.
  • Commit .terraform.lock.hcl so checksums are pinned and reviewed.
  • Point provider downloads at one trusted registry or mirror.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →