Corepack key verification failure with recent package manager versions

[mreishus]

What happened?

After npm registry rotated their signing keys on January 29, 2025 (after 12 years of using the same key), Corepack is failing to install newer versions of package managers like [email protected]+ or [email protected]+ when using Devbox with DEVBOX_COREPACK_ENABLED.

The error occurs because Corepack (versions ≤0.30.0) has hardcoded npm registry keys and fails to verify packages signed with the new key:

Error: Cannot find matching keyid: {"signatures":[{...}],"keys":[{...}]}

Steps to reproduce

Create a project with devbox.json that enables Corepack, and a recent version of pnpm in package.json, then run a command that triggers corepack

• mkdir newtest
• cd newtest
• devbox init
• devbox generate direnv # optional, use devbox shell otherwise
• Edit devbox.json and add

  "packages": ["[email protected]"],
  "env": {
    "DEVBOX_COREPACK_ENABLED": "true"
  }

• npm init, press enter a bunch to go with defaults
• Edit package.json and add

"packageManager": "[email protected]",

• Run pnpm - it should ask to download, if not, try a pnpm you don't already have like 10.2 or 10.4
• See signature failure

~/d/newtest $ pnpm
! Corepack is about to download https://registry.npmjs.org/pnpm/-/pnpm-10.3.0.tgz
? Do you want to continue? [Y/n] y
                                                                                                                                            
/nix/store/ygk01vha6k5zxgn9rsxi3k6cm2kbnwsc-nodejs-22.12.0/lib/node_modules/corepack/dist/lib/corepack.cjs:21535
  if (key == null || signature == null) throw new Error(`Cannot find matching keyid: ${JSON.stringify({ signatures, keys })}`);
                                              ^
                                                                                                                                            
Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDqo/55uI8Wf6M4RGn3wszRvnxozJXgQK3vMFN/1emK+AIhAOZdugJH0o6Gv0QdU3iAPB67UBlDtAp6EtXoMiVasB2t","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (/nix/store/ygk01vha6k5zxgn9rsxi3k6cm2kbnwsc-nodejs-22.12.0/lib/node_modules/corepack/dist/lib/corepack.cjs:21535:47)

Command

No response

devbox.json

{
    "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.14.0/.schema/devbox.schema.json",
  "packages": ["[email protected]"],
  "env": {
    "DEVBOX_COREPACK_ENABLED": "true"
  },

    "shell": {
      "init_hook": [
        "echo 'Welcome to devbox!' > /dev/null"
      ],
      "scripts": {
        "test": [
          "echo \"Error: no test specified\" && exit 1"
        ]
      }
    }
  }

Devbox version

0.14.0

Nix version

nix (Nix) 2.24.7

What system does this bug occur on?

macOS (M4)

Debug logs

No response

[mreishus]

For a workaround, I added "COREPACK_INTEGRITY_KEYS": "0" to my env section

  "env": {
    "DEVBOX_COREPACK_ENABLED": "true",
    "COREPACK_INTEGRITY_KEYS": "0"
  }

[barraponto]

It seems to have been fixed in release v0.31 of corepack.
Corepack itself is updated in node v22.14, v18.20.7 and v23.7.