diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 29cd7adf4..922901f27 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -94,18 +94,11 @@ jobs:
       - name: Install nimble deps
         if: steps.cache-nimbledeps.outputs.cache-hit != 'true'
         run: |
-          # nim and nimble have unstable cross-platform checksums (their source
-          # trees check out differently per OS), so strip them from the lock
-          # before setup to avoid spurious mismatches; the toolchain installed
-          # above provides them, they are not resolved as project deps.
-          python3 -c "
-          import json
-          lock = json.load(open('nimble.lock'))
-          for key in ['nim', 'nimble']:
-            lock['packages'].pop(key, None)
-          json.dump(lock, open('nimble.lock', 'w'), indent=2)
-          "
-          nimble setup --localdeps -y
+          # Use system nim instead of the nim pinned in nimble.lock: nim's
+          # source tree checksums differently across platforms, so the locked
+          # checksum is unreliable. --useSystemNim skips the locked nim while
+          # still verifying every other locked dependency.
+          nimble setup --localdeps -y --useSystemNim
           make rebuild-nat-libs-nimbledeps
           make rebuild-bearssl-nimbledeps
           touch nimbledeps/.nimble-setup
@@ -158,18 +151,11 @@ jobs:
       - name: Install nimble deps
         if: steps.cache-nimbledeps.outputs.cache-hit != 'true'
         run: |
-          # nim and nimble have unstable cross-platform checksums (their source
-          # trees check out differently per OS), so strip them from the lock
-          # before setup to avoid spurious mismatches; the toolchain installed
-          # above provides them, they are not resolved as project deps.
-          python3 -c "
-          import json
-          lock = json.load(open('nimble.lock'))
-          for key in ['nim', 'nimble']:
-            lock['packages'].pop(key, None)
-          json.dump(lock, open('nimble.lock', 'w'), indent=2)
-          "
-          nimble setup --localdeps -y
+          # Use system nim instead of the nim pinned in nimble.lock: nim's
+          # source tree checksums differently across platforms, so the locked
+          # checksum is unreliable. --useSystemNim skips the locked nim while
+          # still verifying every other locked dependency.
+          nimble setup --localdeps -y --useSystemNim
           make rebuild-nat-libs-nimbledeps
           make rebuild-bearssl-nimbledeps
           touch nimbledeps/.nimble-setup
@@ -234,18 +220,11 @@ jobs:
       - name: Install nimble deps
         if: steps.cache-nimbledeps.outputs.cache-hit != 'true'
         run: |
-          # nim and nimble have unstable cross-platform checksums (their source
-          # trees check out differently per OS), so strip them from the lock
-          # before setup to avoid spurious mismatches; the toolchain installed
-          # above provides them, they are not resolved as project deps.
-          python3 -c "
-          import json
-          lock = json.load(open('nimble.lock'))
-          for key in ['nim', 'nimble']:
-            lock['packages'].pop(key, None)
-          json.dump(lock, open('nimble.lock', 'w'), indent=2)
-          "
-          nimble setup --localdeps -y
+          # Use system nim instead of the nim pinned in nimble.lock: nim's
+          # source tree checksums differently across platforms, so the locked
+          # checksum is unreliable. --useSystemNim skips the locked nim while
+          # still verifying every other locked dependency.
+          nimble setup --localdeps -y --useSystemNim
           make rebuild-nat-libs-nimbledeps
           make rebuild-bearssl-nimbledeps
           touch nimbledeps/.nimble-setup
diff --git a/.github/workflows/windows-build.yml b/.github/workflows/windows-build.yml
index c17c604ce..059cc954f 100644
--- a/.github/workflows/windows-build.yml
+++ b/.github/workflows/windows-build.yml
@@ -109,20 +109,14 @@ jobs:
       if: steps.cache-nimbledeps.outputs.cache-hit != 'true'
       run: |
         export PATH="$GITHUB_WORKSPACE/.nim_runtime/bin:$HOME/.nimble/bin:$PATH"
-        # nim and nimble have unstable cross-platform checksums: their source
-        # trees check out differently per OS (nim ships a .gitattributes that
-        # forces line endings on some files), so their SHA1 never matches the
-        # Linux-computed values in nimble.lock on Windows — even with autocrlf
-        # disabled. Strip them from the lock before setup; they are provided by
-        # the toolchain installed above, not resolved as project deps.
-        python -c "
-        import json
-        lock = json.load(open('nimble.lock'))
-        for key in ['nim', 'nimble']:
-          lock['packages'].pop(key, None)
-        json.dump(lock, open('nimble.lock', 'w'), indent=2)
-        "
-        nimble setup --localdeps -y
+        # Use the CI-installed system nim instead of the nim pinned in
+        # nimble.lock. nim's source tree checks out differently on Windows
+        # (its .gitattributes forces line endings on some files), so its
+        # checksum never matches the Linux-computed value in the lock — not
+        # even with autocrlf disabled. --useSystemNim makes nimble ignore the
+        # locked nim (no download, no checksum) while still verifying every
+        # other locked dependency.
+        nimble setup --localdeps -y --useSystemNim
         make rebuild-nat-libs-nimbledeps CC=gcc
         make rebuild-bearssl-nimbledeps CC=gcc
         touch nimbledeps/.nimble-setup