Terraform "checksums previously recorded in the lock file" in CI
init downloaded a provider whose hash is not among the checksums recorded in .terraform.lock.hcl -- usually because the lock has no entry for the CI runner platform, or the package legitimately changed.
What this error means
terraform init fails verifying a provider: the downloaded package does not match any checksum recorded in the lock file. It is common when the lock was generated on macOS but CI runs on linux_amd64, so no matching hash exists.
Error: Failed to install provider
Error while installing hashicorp/aws v5.60.0: the current package for
registry.terraform.io/hashicorp/aws 5.60.0 doesn't match any of the checksums
previously recorded in the dependency lock file; either the provider package has
been corrupted, or this is a legitimate change to a new version of the provider.Common causes
Lock file missing the CI platform hash
A lock generated only for one OS/arch has no checksum for the runner platform, so the legitimately-downloaded package matches nothing recorded.
Package or mirror changed
A corrupted download, a republished version, or a misconfigured provider mirror serves a package whose hash differs from the recorded one.
How to fix it
Record hashes for all platforms in the lock file
Regenerate the lock with every platform CI uses, then commit it.
terraform providers lock \
-platform=linux_amd64 \
-platform=darwin_arm64 \
-platform=linux_arm64Rule out corruption before trusting a new hash
- If you expected the version to change, run init with -upgrade to record the new checksums intentionally.
- If you did not, clear the provider cache and re-init to rule out a corrupted download.
- Verify any private provider mirror serves the canonical package.
How to prevent it
- Run terraform providers lock with every CI platform and commit the result.
- Pin provider versions so checksums only change on deliberate upgrades.
- Validate provider mirrors serve canonical, uncorrupted packages.