Closed uishon closed 3 years ago
This simply means that the installer available under a static URL has been updated since the manifest was last published. That's a package error and not a winget CLI error so please close this issue here and check if your issue has been reported in https://github.com/microsoft/winget-pkgs/issues already. If not, please create the issue there.
@megamorf: is there a bug suggesting that the message should point in that direction?
@jsoref Yup, check the output of the winget install command that @uishon posted:
Installer hash does not match
Which means that the hash in the package manifest (see winget-pkgs) which is used to populate the package index does not match the hash computed from the downloaded binary. It even tells you how to proceed with the installation if there is a hash mismatch:
to override this check use --force
In which case the command would look like this:
winget install whatsapp --force
No. I mean is there a bug suggesting that the message should point to https://github.com/microsoft/winget-pkgs/issues
Telling an end user that a hash doesn't match is pretty user hostile.
Pointing them to a web page that can get the hash updated / tell them it will be / walk them through deciding if it's a problem is much better.
Sure, users can blindly run arbitrary commands, but that isn't security.
I don't think there is anything hostile taking place here. Winget has a single source, the default source, that is being generated from manifests in the winget-pkgs repo. All package related issues belong there and OP's problem is not with the winget CLI but with a specific package.
Telling the user that there is a hash mismatch is a security measure and can have two causes: 1) the binary from the URL in the manifest has been updated by the software vendor or 2) a malicious actor has intercepted the communication via a man-in-the-middle attack to provide a modified binary.
The likelihood of 2) happening is rather low so in 99.99% of the cases the problem is 1) and can be resolved by waiting for a manifest update by the community (via issue in winget-pkgs) or overriding the command to accept the risk of installing a package with a different hash.
Putting aside the thread on the error message text, closing this issue.
See https://github.com/microsoft/winget-pkgs/issues/4986 for this specific whatsapp issue (just created) and https://github.com/microsoft/winget-pkgs/issues/3250 for a discussion of what seems to be the root cause for this happening from time to time.
Brief description of your issue
When installing whatsapp using
winget
I'm getting: "Installer does not match error
"Steps to reproduce
Expected behavior
A successful install. No errors.
Actual behavior
Environment