Skip to content
Latchkey

Terraform "checksums previously recorded in the lock file" in CI

init downloaded a provider whose hash is not among the checksums recorded in .terraform.lock.hcl -- usually because the lock has no entry for the CI runner platform, or the package legitimately changed.

What this error means

terraform init fails verifying a provider: the downloaded package does not match any checksum recorded in the lock file. It is common when the lock was generated on macOS but CI runs on linux_amd64, so no matching hash exists.

terraform
Error: Failed to install provider

Error while installing hashicorp/aws v5.60.0: the current package for
registry.terraform.io/hashicorp/aws 5.60.0 doesn't match any of the checksums
previously recorded in the dependency lock file; either the provider package has
been corrupted, or this is a legitimate change to a new version of the provider.

Common causes

Lock file missing the CI platform hash

A lock generated only for one OS/arch has no checksum for the runner platform, so the legitimately-downloaded package matches nothing recorded.

Package or mirror changed

A corrupted download, a republished version, or a misconfigured provider mirror serves a package whose hash differs from the recorded one.

How to fix it

Record hashes for all platforms in the lock file

Regenerate the lock with every platform CI uses, then commit it.

Terminal
terraform providers lock \
  -platform=linux_amd64 \
  -platform=darwin_arm64 \
  -platform=linux_arm64

Rule out corruption before trusting a new hash

  1. If you expected the version to change, run init with -upgrade to record the new checksums intentionally.
  2. If you did not, clear the provider cache and re-init to rule out a corrupted download.
  3. Verify any private provider mirror serves the canonical package.

How to prevent it

  • Run terraform providers lock with every CI platform and commit the result.
  • Pin provider versions so checksums only change on deliberate upgrades.
  • Validate provider mirrors serve canonical, uncorrupted packages.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →