I use Chocolatey as my package manager for my Windows images. Usually it works great but every now and then the vendor updates the .exe installer on their backend and that leads to my powershell scripts breaking due to hash mismatch and the app package not installing. If I pass the --ignore-checksum arguement, it works flawlessly for obvious reasons

For instance now STEAM, Origin, and Geforce Experience won't install due to hash mismatch unless I pass that arguement.

--Ignore-checksum is supposedly rather dangerous to do coz you can easily end up with malware.

I'm wondering if there's a better alternative to passing this arguement if I do want to stick with Chocolatey and still have my app packages installing every time the scripts run?

Btw won't my AV catch such malware, I wonder? it's not like this is a rootkit/bootkit