Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Linux Admins By James Joyner IV · · 9 min read

Linux Error: Hash Sum mismatch — Cause, Fix, and Troubleshooting Guide

How to fix the Linux apt 'Hash Sum mismatch' error on Ubuntu and Debian: clear the package lists cache and track down the caching proxy or stale mirror behind it.

  • #linux
  • #troubleshooting
  • #ubuntu
  • #apt
  • #package-management

Summary

Hash Sum mismatch during apt update means the checksum apt computed for a downloaded index or package does not match the checksum published in the repository’s signed Release file. Apt treats this as tampering or corruption and refuses the file. On Debian/Ubuntu the cause is almost always a caching proxy, a mirror mid-sync, or a partially downloaded index — not an attack. The fix is to clear the local lists cache and, most importantly, find the intermediary that served stale or truncated data.

Common Symptoms

  • apt-get update prints E: Failed to fetch ... Hash Sum mismatch.
  • The same line repeats for Packages, Packages.gz, InRelease, or a .deb.
  • Messages like Hashes of expected file: ... Hashes of received file: ... show two different sums.
  • Works after apt-get clean but returns on the next update — a strong sign of a caching proxy.
  • Common behind corporate proxies (Squid, apt-cacher-ng) or on a mirror being resynced.

Most Likely Causes of the ‘Hash Sum mismatch’ Error

The most common production cause is a caching HTTP proxy (Squid, apt-cacher-ng, a CDN edge) serving a stale or partial index that no longer matches the current signed Release. Other causes:

  • A mirror caught mid-sync, so indexes and packages are momentarily inconsistent.
  • A corrupted or truncated file in /var/lib/apt/lists/.
  • A network device or transparent proxy altering/compressing responses.
  • Disk full or filesystem errors truncating downloads locally.

Quick Triage

# Refetch indexes from scratch after clearing cached lists
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update

# Are you going through a proxy?
env | grep -i proxy
grep -R "Acquire::http" /etc/apt/apt.conf.d/ 2>/dev/null

# Is the disk full (truncated downloads)?
df -h /var

Diagnostic Commands

# Clear all cached indexes and re-download
sudo rm -rf /var/lib/apt/lists/*
sudo mkdir -p /var/lib/apt/lists/partial
sudo apt-get update

# See exactly what URL/proxy apt hits and the hashes it compares
sudo apt-get update -o Debug::Acquire::http=true 2>&1 | less

# Inspect configured sources and any pinned mirror
cat /etc/apt/sources.list
ls -l /etc/apt/sources.list.d/

# Confirm whether a caching proxy is configured for apt specifically
grep -R "Acquire::" /etc/apt/apt.conf.d/

# Compare against the signed Release to prove which side is stale
curl -sSL http://archive.ubuntu.com/ubuntu/dists/$(lsb_release -cs)/InRelease | head

If the mismatch disappears when you bypass the proxy, the proxy is the culprit.

Fix / Remediation

  1. Clear the local lists cache and retry (safest, fixes most cases):

    sudo rm -rf /var/lib/apt/lists/*
    sudo apt-get clean
    sudo apt-get update
  2. Bypass or flush the caching proxy. For apt-cacher-ng or Squid, purge the cached index or temporarily bypass it:

    sudo apt-get -o Acquire::http::proxy=false update
    # apt-cacher-ng: expire stale files
    sudo /usr/lib/apt-cacher-ng/expire-caller.pl
  3. Switch to a different mirror if the current one is mid-sync (edit /etc/apt/sources.list or use software-properties-gtk / the Ubuntu mirror selector), then update.

  4. Force IPv4 if a load-balanced mirror returns inconsistent nodes:

    sudo apt-get -o Acquire::ForceIPv4=true update
  5. Rule out local corruption — check disk space and filesystem health, then clear cache again:

    df -h /var
    sudo dmesg | grep -i -E 'ext4|xfs|i/o error'

Warning: Do not “fix” a persistent Hash Sum mismatch by disabling signature/hash checks (Acquire::Check-Valid-Until "false" blindly, or trusting unauthenticated repos). A real mismatch can indicate a man-in-the-middle proxy; identify the intermediary rather than turning off verification.

Validation

# A clean update with no fetch errors
sudo apt-get update
echo "update exit: $?"

# Indexes are freshly written
ls -lt /var/lib/apt/lists/ | head

# A package install now downloads and verifies
sudo apt-get install --reinstall --download-only apt

Prevention

  • Pin to a reliable, geographically close mirror rather than a round-robin alias that can serve mid-sync nodes.
  • Configure caching proxies (apt-cacher-ng/Squid) to respect Release/InRelease freshness and not cache indexes too aggressively.
  • Monitor proxy and mirror health; alert when index and package hashes diverge.
  • Keep /var from filling up so downloads are never truncated.
  • On RHEL/Rocky/Alma the parallel symptom is dnf’s Status code: 404/checksum errors after dnf clean all; the same caching-proxy and mirror-sync causes apply.

Final Notes

Clearing /var/lib/apt/lists fixes the immediate failure, but if Hash Sum mismatch keeps returning, the real fault is upstream — a caching proxy or a mirror mid-sync. Trace the intermediary and fix or bypass it; never disable apt’s verification to make the error go away.

Want faster Linux incident response? Use DevOps AI Toolkit to turn production errors into clear diagnostics, remediation steps, and reusable runbooks.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.