# OL-4251 — Update integrity / SHA-512 SRI mismatch
> The downloaded tarball's SHA-512 digest did not match the manifest's
> `dist.integrity` value. Apply was aborted before extraction; the
> running binary is untouched.
## When this fires
- CDN tampering between the manifest fetch and the byte read.
- Partial download / TCP truncation under unusual conditions.
- A registry mirror that doesn't honour npm's SRI semantics.
## How to fix it
1. Re-run `openlatch-provider update --apply --yes`. Transient CDN
bytes-in-flight issues clear up on the next attempt.
2. If the failure is repeatable from multiple networks, file an issue
at https://github.com/OpenLatch/openlatch-provider/issues — a
genuine SRI mismatch is a security signal worth escalating.
3. Verify your registry mirror returns a `dist.integrity` matching the
bytes it serves: `curl -fsS https://registry.npmjs.org/@openlatch/provider-{platform} | jq '.versions[].dist.integrity'`.
## Related
- `OL-4254` — minisign verify failed (defence-in-depth check; runs
after this one passes).
- `.claude/rules/auto-update.md` — invariant 3 (verify-before-swap).