when installing whatsapp, I'm getting ``Installer does not match error".

[uishon]

Brief description of your issue

When installing whatsapp using winget I'm getting: "Installer does not match error"

Steps to reproduce

winget install whatsapp

Expected behavior

A successful install. No errors.

Actual behavior

PS C:\Users\uisho> winget install whatsapp
Found WhatsApp [WhatsApp.WhatsApp]
This application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
Downloading https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe
  ██████████████████████████████   159 MB /  159 MB
Installer hash does not match; to override this check use --force
PS C:\Users\uisho>

Environment

[winget --info]
Windows Package Manager version v0.2.2941 Preview
Windows: Windows.Desktop version v10.0.19042.630
Package: Microsoft.DesktopAppInstaller version v1.11.2941.0

Any other software?

[megamorf]

This simply means that the installer available under a static URL has been updated since the manifest was last published. That's a package error and not a winget CLI error so please close this issue here and check if your issue has been reported in https://github.com/microsoft/winget-pkgs/issues already. If not, please create the issue there.

[jsoref]

@megamorf: is there a bug suggesting that the message should point in that direction?

[megamorf]

@jsoref Yup, check the output of the winget install command that @uishon posted:

Installer hash does not match

Which means that the hash in the package manifest (see winget-pkgs) which is used to populate the package index does not match the hash computed from the downloaded binary. It even tells you how to proceed with the installation if there is a hash mismatch:

to override this check use --force

In which case the command would look like this:

winget install whatsapp --force

[jsoref]

No. I mean is there a bug suggesting that the message should point to https://github.com/microsoft/winget-pkgs/issues

Telling an end user that a hash doesn't match is pretty user hostile.

Pointing them to a web page that can get the hash updated / tell them it will be / walk them through deciding if it's a problem is much better.

Sure, users can blindly run arbitrary commands, but that isn't security.

[megamorf]

I don't think there is anything hostile taking place here. Winget has a single source, the default source, that is being generated from manifests in the winget-pkgs repo. All package related issues belong there and OP's problem is not with the winget CLI but with a specific package.

Telling the user that there is a hash mismatch is a security measure and can have two causes: 1) the binary from the URL in the manifest has been updated by the software vendor or 2) a malicious actor has intercepted the communication via a man-in-the-middle attack to provide a modified binary.

The likelihood of 2) happening is rather low so in 99.99% of the cases the problem is 1) and can be resolved by waiting for a manifest update by the community (via issue in winget-pkgs) or overriding the command to accept the risk of installing a package with a different hash.

[uishon]

Putting aside the thread on the error message text, closing this issue.

See https://github.com/microsoft/winget-pkgs/issues/4986 for this specific whatsapp issue (just created) and https://github.com/microsoft/winget-pkgs/issues/3250 for a discussion of what seems to be the root cause for this happening from time to time.