node 20.18.3 (a current LTS) is shipping a broken version of corepack

[jay-aye-see-kay]

Version

v20.18.3

Platform

Darwin jjack-XMW16X 24.3.0 Darwin Kernel Version 24.3.0: Thu Jan  2 20:24:16 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T6000 arm64

Subsystem

corepack

What steps will reproduce the bug?

# setup, I'm using mise to get a specific version of corepack. nvm, asdf, etc should work the same
mkdir ~/tmp-repro
cd ~/tmp-repro
mise use node@20

# verify we're using the expected binaries
which node # /Users/jack/.local/share/mise/installs/node/20/bin/node
which corepack # /Users/jack/.local/share/mise/installs/node/20/bin/corepack
node --version # v20.18.3
corepack --version # 0.30.0

# clean the cache to ensure a download
corepack cache clear

# the command that fails
corepack use pnpm

How often does it reproduce? Is there a required condition?

fails every time for me

What is the expected behavior? Why is that the expected behavior?

the version of corepack distributed with all supported/maintained versions of node shouldn't be broken

What do you see instead?

The same output as reported here nodejs/corepack#612

Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDqo/55uI8Wf6M4RGn3wszRvnxozJXgQK3vMFN/1emK+AIhAOZdugJH0o6Gv0QdU3iAPB67UBlDtA
p6EtXoMiVasB2t","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQ
AE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i
6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:21535:47)
    at installVersion (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:21882:7)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Engine.ensurePackageManager (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:22316:3
2)
    at async UseCommand.execute (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:22920:32)
    at async UseCommand.validateAndExecute (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:19835
:22)
    at async _Cli.run (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:20772:18)
    at async Object.runMain (/Users/jack/.local/share/mise/installs/node/20.18.3/lib/node_modules/corepack/dist/lib/corepack.cjs:23097:19)

Additional information

The fix suggested here nodejs/corepack#612 (comment) of setting COREPACK_INTEGRITY_KEYS to {"npm":[{"expires":"2025-01-29T00:00:00.000Z","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="},{"expires":null,"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY6Ya7W++7aUPzvMTrezH6Ycx3c+HOKYCcNGybJZSCJq/fd7Qa8uuAKtdIkUQtQiEKERhAmE5lMMJhP8OkDOa2g=="}]}. works but should not be required

---

I also tested this with:

• node v18.20.2 (corepack 0.25.2) and it did not fail, I'm not sure why, I expected it to as it's got a <0.31 version of corepack
• node v22.14.0 (corepack 0.31) and it works well as expected, because it has the fixed version of corepack

[richardlau]

FWIW There's a tracking issue in the corepack repo: nodejs/corepack#627

[MikeMcC399]

@jay-aye-see-kay

node v18.20.2 (corepack 0.25.2) and it did not fail, I'm not sure why, I expected it to as it's got a <0.31 version of corepack

The issue only affects Corepack 0.27.0 - 0.30.0