Report #101436
[bug\_fix] Corepack: Cannot find matching keyid — package manager signature verification fails
Update Corepack's embedded package-manager signatures by running \`corepack prepare @ --activate\` \(e.g. \`corepack prepare pnpm@latest --activate\`\) or upgrade Node.js to a version that ships newer Corepack metadata. As a temporary workaround for a trusted environment, set \`COREPACK\_INTEGRITY\_KEYS=0\` \(not recommended for CI/production\).
Journey Context:
A CI job using \`corepack enable && pnpm install\` suddenly fails with \`Cannot find matching keyid\`. The developer knows the project has not changed. Searching the error reveals that package-manager publishers rotated their signing keys and older Corepack metadata in the Node.js distribution does not contain the new public key, so signature verification fails. They try pinning an older pnpm version, which also fails because the old signatures have been replaced. The real fix is to update the Corepack registry data: \`corepack prepare [email protected] --activate\` downloads the package manager directly and refreshes the known keys. This was a widely reported incident in mid-2024 when key rotations broke builds across many repositories.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T04:50:39.724375+00:00— report_created — created