diff --git a/bob/devtools/bootstrap.py b/bob/devtools/bootstrap.py
index 0f91e4c99107cae490ef7e43fc1351be493e8581..4b47575b9abbe028e1b3c675d602525cc4bf31b5 100644
--- a/bob/devtools/bootstrap.py
+++ b/bob/devtools/bootstrap.py
@@ -245,7 +245,7 @@ def ensure_miniconda_sh():
             return
         else:
             logger.info(
-                "Erasing cached miniconda3 installer (%s does NOT " "match)",
+                "Erasing cached miniconda3 installer (%s does NOT match)",
                 actual_sha256,
             )
             os.unlink("miniconda.sh")
@@ -259,6 +259,21 @@ def ensure_miniconda_sh():
     with open(dst, "wb") as f:
         f.write(response.read())
 
+    # checks that the checksum is correct on this file
+    actual_sha256 = hashlib.sha256(
+        open("miniconda.sh", "rb").read()
+    ).hexdigest()
+    if actual_sha256 != sha256:
+        os.unlink("miniconda.sh")
+        raise RuntimeError(
+            "Just downloaded miniconda3 installer sha256 checksum (%s) does "
+            "NOT match expected value (%s). Removing downloaded installer. "
+            "A wrong checksum may end up making the CI download too many copies "
+            "and be banned! You must fix this ASAP.",
+            actual_sha256,
+            sha256,
+        )
+
 
 def install_miniconda(prefix, name):
     """Creates a new miniconda installation.