Hash Sum mismatch when apt update

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

OS: Zorin OS 18.1 (Ubuntu-based)
Cursor installed from the official .deb package.

When updating (apt update), I get:
Err:16 https://downloads.cursor.com/aptrepo stable/main amd64 Packages
Hash Sum mismatch
Hashes of expected file:

  • Filesize:1446 [weak]
  • SHA256:e85150dcfba692e3845c929ed0e1de3655ce4fd3da30bfb74c7b0fab683e96f4
  • SHA1:55f56e243977529afda2c40af2bfe1083719c918 [weak]
  • MD5Sum:7cd3228d7b8bf5326e9776b3fafe8f75 [weak]
    Hashes of received file:
  • SHA256:1e760526da3693259b244a9f3d46c62725c605e3201799c8fa43c130dce4dc76
  • SHA1:eb4345fb44c92dea3dcbe012c25a9add518006e6 [weak]
  • MD5Sum:eba76948a09dda489725e9d69c14426b [weak]
  • Filesize:1446 [weak]
    Last modification reported: Fri, 29 May 2026 17:02:48 +0000
    Release file created at: Fri, 29 May 2026 09:28:51 +0000

Here is my cursor.sources:
$ cat /etc/apt/sources.list.d/cursor.sources

THIS FILE IS AUTOMATICALLY CONFIGURED

You may comment out this entry, but any other modifications may be lost.

Types: deb
URIs: https://downloads.cursor.com/aptrepo
Suites: stable
Components: main
Architectures: amd64
Signed-By: /usr/share/keyrings/anysphere.gpg

Steps to Reproduce

sudo apt update

Operating System

Linux

Version Information

Cursor 3.6.21

Does this stop you from using Cursor

No - Cursor works, but with this issue

5

Hey, thanks for the detailed report with hashes and timings. This is a known issue on our side with the apt repo metadata. InRelease got out of sync with Packages.gz. It’s not a bug in your system.

This doesn’t affect Cursor itself, and you already noticed that. Here are a few workarounds, from quick to more invasive:

  1. Clear the local apt metadata cache and force a fresh fetch:

    sudo rm -rf /var/lib/apt/lists/*
sudo apt update

    If you cached an old InRelease locally, this should fix it right away. If the mismatch is still there, it’s on the repo metadata side.

  2. Just retry sudo apt update a bit later. After the next publish cycle, the hashes usually line up again.

  3. If this is blocking other updates right now, temporarily comment out the Cursor source:

    sudo nano /etc/apt/sources.list.d/cursor.sources

    Add # before the URIs: line (or comment out the whole block), run apt update, then revert it.

We’ve already logged the issue. Once there’s an update, I’ll reply in the thread. Let me know at which step the mismatch goes away, or if it doesn’t. That helps confirm whether it’s client-side or server-side.

7

Hi @deanrie , thanks a lot for the quick reply.

I’ve tried everything you suggested (and even more, like “sudo apt clean”, reinstalling the package and so on), but nothing worked. So yes, it looks like the problem is on the server side, as you already mentioned.

For now, I can just ignore the error or disable the Cursor repo, so this doesn’t block my work in any way, but ofcourse it would be great go get Cursor updates sometime again. :slight_smile:

Thanks for looking into it!

8

Thanks for running through all the steps. It confirms the issue is on the repo side, not on your end. This can’t be fixed with client workarounds anymore, the metadata mismatch needs to be fixed on the server.

We’ve logged the issue on our side. For now, you can safely keep the Cursor source commented out or just ignore the error, it won’t affect how Cursor works. I’ll post an update in this thread as soon as I have one.

9

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I use a Docker file to prepare a Cursor IDE work environment, but recently I get an APT signature mismatch - see attached pictures.

Here are core error messages (from variation of reproduction steps, eg. using http instead of SSL):

Error 1:

1.755 Error: Failed to fetch /aptrepo/dists/stable/main/binary-amd64/Packages.gz Hash Sum mismatch
1.755 Hashes of expected file:
1.755 - Filesize:1446 [weak]
1.755 - SHA256:e85150dcfba692e3845c929ed0e1de3655ce4fd3da30bfb74c7b0fab683e96f4
1.755 - SHA1:55f56e243977529afda2c40af2bfe1083719c918 [weak]
1.755 - MD5Sum:7cd3228d7b8bf5326e9776b3fafe8f75 [weak]
1.755 Hashes of received file:
1.755 - SHA256:1e760526da3693259b244a9f3d46c62725c605e3201799c8fa43c130dce4dc76
1.755 - SHA1:eb4345fb44c92dea3dcbe012c25a9add518006e6 [weak]
1.755 - MD5Sum:eba76948a09dda489725e9d69c14426b [weak]
1.755 - Filesize:1446 [weak]
1.755 Last modification reported: Fri, 29 May 2026 17:02:48 +0000
1.755 Release file created at: Fri, 29 May 2026 09:28:51 +0000

Error 2:

7.692 Err:1 /aptrepo stable InRelease
7.692 SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 104.18.16.128 443]

Error 3:

3.377 Warning: OpenPGP signature verification failed: /aptrepo stable InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 42A1772E62E492D6
3.377 Error: The repository ‘ stable InRelease’ is not signed.

Steps to Reproduce

Consider the following Docker file:

FROM ubuntu:26.04

# Add Cursor's GPG key
RUN curl -fsSL https://downloads.cursor.com/keys/anysphere.asc \
  | gpg --dearmor \
  | tee /etc/apt/keyrings/cursor.gpg >/dev/null
RUN chmod 644 /etc/apt/keyrings/cursor.gpg

# Add the Cursor repository
RUN echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/cursor.gpg] https://downloads.cursor.com/aptrepo stable main' \
 | tee /etc/apt/sources.list.d/cursor.list

# Update and install
RUN apt update && apt install -y cursor

Expected Behavior

I have been using the above Dockerfile sniper for months and it worked. This is a regression bug.

Screenshots / Screen Recordings

Screenshot_20260530_144749.png
Screenshot_20260530_144749.png833×558 80.7 KB

Operating System

Linux

Version Information

Installation issue for APT after following instructions from:
/docs/get-started/quickstart

For AI issues: which model did you use?

N/A

For AI issues: add Request ID with privacy disabled

N/A

Additional Information

Most likely a regression where public GPG key did not get updated. I cannot use standalone DEB files, unless there is an universal URL to download the latest version - need to automate install task.

Does this stop you from using Cursor

Yes - Cursor is unusable

10

Note: I did install Cursor using .deb file, but it seems to be breaking follow-up apt update commands. Installing Cursor right now is potentially dangerous to automated work deployments.

11

I can confirm this is still a server-side issue.

I verified the hashes directly:

Expected SHA256 from Release:

e85150dcfba692e3845c929ed0e1de3655ce4fd3da30bfb74c7b0fab683e96f4

Actual SHA256 of the currently served Packages.gz:

1e760526da3693259b244a9f3d46c62725c605e3201799c8fa43c130dce4dc76

Commands used:

curl -s https://downloads.cursor.com/aptrepo/dists/stable/main/binary-amd64/Packages.gz | sha256sum

The mismatch is reproducible outside of apt, which confirms the issue is in the repository metadata/CDN and not in the local apt cache.

Ubuntu 26.04 (Resolute)
Cursor repository installed from the official .deb package.

13

Hi @deanrie ,

Can it be that you guys fixed it? I don’t get the errors anymore.

16

Hey @ich,

Yep, it’s fixed on our side. The apt repo metadata is back in sync, InRelease and Packages.gz match again by hashes, so sudo apt update should run without errors. This is a server-side fix, you don’t need to update Cursor.

If anyone still sees the old mismatch locally, it’s cached metadata. You can clear it like this:

sudo rm -rf /var/lib/apt/lists/*
sudo apt update

If you hit the error again after that, let me know and we’ll take a look.

cc @MatrixRonny @Den_Brooks, it should work for you too.