You ran winget install and got "Installer hash does not match the manifest". Here's exactly what that means, why it's actually a feature, and 5 ways to get past it safely.
What this error actually means
winget verifies every installer it downloads against a SHA-256 hash stored in the package manifest. If the file you downloaded has a different hash than expected, winget aborts:
Installer hash does not match; sha256 file: ABC...
Expected: DEF...
Three things can cause this:
- Publisher pushed a new installer without updating the winget manifest yet (most common — ~95% of cases)
- Publisher URL serves dynamic content (CDN gave you a different file)
- Real tampering / corruption during transit (very rare)
Fix 1 — Wait 6-24 hours (recommended)
The safest fix: don't fix anything. Wait.
When a vendor publishes a new installer, the microsoft/winget-pkgs community typically updates the manifest within 6-24 hours. Sometimes the publisher themselves submits the PR (Microsoft.VisualStudioCode, Google.Chrome — same-day). Sometimes a volunteer does it (smaller apps — may take a day or two).
To check if there's a pending PR for your app:
- Go to github.com/microsoft/winget-pkgs/pulls
- Search for your package ID
- If a PR is open, wait for it to merge, then retry
Once merged, refresh your local index:
winget source update
And retry:
winget install --id Some.App
Fix 2 — Use --force to skip the check
If you're certain the publisher URL is legitimate (corporate-signed installer, well-known vendor), bypass the check:
winget install --id Some.App --force
This still downloads from the publisher's URL but skips hash verification. Only do this if:
- You trust the publisher
- The error appeared after a known recent release
- The download speed and CDN look normal
Don't blindly --force on random apps from unknown publishers.
Fix 3 — Manually verify and report
If you want to be thorough:
- Note the expected hash from winget's error message
- Download the installer manually from the publisher's website
- Compute its hash:
Get-FileHash C:\Downloads\app-installer.exe -Algorithm SHA256- Compare to what the publisher publishes on their site (most security-conscious vendors publish hashes)
- If your hash matches the publisher's published hash but not winget's manifest → manifest is just stale; report on winget-pkgs issues
- If hashes don't match the publisher's published hash either → potential tampering; don't install
Fix 4 — Try a different version
If the current version is broken, install an older one:
winget show --id Some.App --versions
winget install --id Some.App --version 1.2.3
Older versions usually have stable, verified hashes.
Fix 5 — Submit the manifest update yourself
If you're comfortable with GitHub:
- Fork microsoft/winget-pkgs
- Find the manifest at
manifests/<letter>/<Publisher>/<Name>/<Version>/...installer.yaml - Update
InstallerUrlandInstallerSha256:
Installers:
- Architecture: x64
InstallerType: exe
InstallerUrl: https://new.publisher.url/app-1.2.4.exe
InstallerSha256: ABC123...Compute the new hash:
winget hash C:\Downloads\app-installer.exe
- Open a PR. Reviewers usually merge within 24 hours.
You've now helped every other winget user too.
Fix 6 — Use Chocolatey or Scoop as fallback
If you absolutely need the app now and waiting isn't an option:
choco install <package>
# or
scoop install <package>
Both have similar — sometimes faster-updating — catalogs. Compare in winget vs Chocolatey vs Scoop.
When this is a red flag
Hash mismatch is usually benign, but treat it as suspicious if:
- You haven't seen the publisher push a new version recently
- The download URL has changed unexpectedly
- The downloaded file size differs significantly from before
- Multiple unrelated packages all show hash mismatch (could indicate MITM attack on your network)
In those cases, run winget source reset --force, switch networks, and retry. If problems persist, your network may be compromised.
How winget hash checking works internally
For curiosity:
- Local catalog index has manifest with
InstallerSha256: ABC... - winget downloads installer from
InstallerUrl - winget computes SHA-256 of downloaded bytes
- If computed hash ≠ manifest hash → abort with "hash does not match"
The hash is over the entire file — even one byte different changes it. CDNs that serve compressed-on-the-fly variants can sometimes confuse this (rare).
Reference: experimental flag (don't use)
For completeness, the experimental setting:
{
"experimentalFeatures": {
"directMSI": true
}
}This doesn't actually disable hash checking — Microsoft removed that footgun in winget 1.0. Hash checking is mandatory now.
What's next?
- Winget search not working: 8 fixes → — sibling troubleshooting guide
- All winget error codes explained → — full reference
- Winget commands cheatsheet → — reference
- How to update all apps → — upgrade workflow