pnpm: integrity checksum failed when using sha1

pnpm version: 2.2.1

Code to reproduce the issue:

Don’t have a shareable deterministic repro…

Expected behavior:

When performing an install pnpm should use the same SHA algorithm as server is using when checking for integrity.

Actual behavior:

We get an error like:

ERROR  sha1-iPH9Gm3+vKXEGUAhCJubDn/BWkA= integrity checksum failed when using sha1: wanted sha1-iPH9Gm3+vKXEGUAhCJubDn/BWkA= but got sha512-L0FUxzgyBIaJrdc1DigatUZiZ9NbeCYNsW6gG/4ezLc/8Hv0EaHsSWGNRPCKBCkiatd3CUFSb6nWLvEVVc2qdg== sha1-sqnHrJmVkxa8tNfCe8ddecwx9LI=. (6553600 bytes)
at on                     …pnpm/lib/node_modules/ssri/index.js:310  const err = new Error(`${sri} integrity checksum failed when using ${algorithm}…
at emitNone               events.js:91
at emit                   events.js:185
at endReadableNT          _stream_readable.js:974
at _combinedTickCallback  internal/process/next_tick.js:74
at _tickCallback          internal/process/next_tick.js:98
Resolving: total 2430, reused 0, downloaded 2269

We verified that our NPM registry is definitely returning SHA1 hashes that match the expected value. It appears that PNPM is sometimes comparing the wrong hash.

Any ideas/logs I could provide?

This has been affecting several members of our team, but not others. Sometimes we can fix it by cleaning out the store or not using the shrinkwrap file, but today we got a deterministic repro on 2 machines.

Additional information:

• node -v prints: 8.9.4
• Windows, OS X, or Linux?: Windows