node 20.18.3 (a current LTS) is shipping a broken version of corepack #57041
Description
Version
v20.18.3
Platform
Darwin jjack-XMW16X 24.3.0 Darwin Kernel Version 24.3.0: Thu Jan 2 20:24:16 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6000 arm64
Subsystem
corepack
What steps will reproduce the bug?
# setup, I'm using mise to get a specific version of corepack. nvm, asdf, etc should work the same
mkdir ~/tmp-repro
cd ~/tmp-repro
mise use node@20
# verify we're using the expected binaries
which node # /Users/jack/.local/share/mise/installs/node/20/bin/node
which corepack # /Users/jack/.local/share/mise/installs/node/20/bin/corepack
node --version # v20.18.3
corepack --version # 0.30.0
# clean the cache to ensure a download
corepack cache clear
# the command that fails
corepack use pnpmHow often does it reproduce? Is there a required condition?
fails every time for me
What is the expected behavior? Why is that the expected behavior?
the version of corepack distributed with all supported/maintained versions of node shouldn't be broken
What do you see instead?
The same output as reported here nodejs/corepack#612
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDqo/55uI8Wf6M4RGn3wszRvnxozJXgQK3vMFN/1emK+AIhAOZdugJH0o6Gv0QdU3iAPB67UBlDtA
p6EtXoMiVasB2t","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQ
AE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i
6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
at verifySignature (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:21535:47)
at installVersion (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:21882:7)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Engine.ensurePackageManager (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:22316:3
2)
at async UseCommand.execute (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:22920:32)
at async UseCommand.validateAndExecute (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:19835
:22)
at async _Cli.run (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:20772:18)
at async Object.runMain (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:23097:19)
Additional information
The fix suggested here nodejs/corepack#612 (comment) of setting COREPACK_INTEGRITY_KEYS to {"npm":[{"expires":"2025-01-29T00:00:00.000Z","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="},{"expires":null,"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY6Ya7W++7aUPzvMTrezH6Ycx3c+HOKYCcNGybJZSCJq/fd7Qa8uuAKtdIkUQtQiEKERhAmE5lMMJhP8OkDOa2g=="}]}. works but should not be required
I also tested this with:
- node v18.20.2 (corepack 0.25.2) and it did not fail, I'm not sure why, I expected it to as it's got a <0.31 version of corepack
- node v22.14.0 (corepack 0.31) and it works well as expected, because it has the fixed version of corepack