"Cannot find matching keyid" if Corepack enabled

[MikeMcC399]

Situation

If the experimental Corepack version manager for package managers is enabled when using cypress-io/github-action and the packageManager property in the project's package.json selects a package manager that has been signed with a new keyid, then dependency installation fails with:

Error: Cannot find matching keyid

• See also Newly published versions of package managers distributed from npm cannot be installed due to key id mismatch nodejs/corepack#612

This also affects unchanged packageManager versions in a workflow where the latest version of the package manager is using a new keyid for signing the package:

• See Please don't make error of fetching latest version information if packageManager field is specified. nodejs/corepack#625

Currently npm and pnpm are affected. If Yarn releases a new version, then it will also be affected, even if nothing is changed in a user's workflow / package.json.

Background

Keys in the npm registry, located on the endpoint https://registry.npmjs.org/-/npm/v1/keys, were rotated on about Jan 22, 2025. The current set is now:

{
  "keys": [
    {
      "expires": "2025-01-29T00:00:00.000Z",
      "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
      "keytype": "ecdsa-sha2-nistp256",
      "scheme": "ecdsa-sha2-nistp256",
      "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
    },
    {
      "expires": null,
      "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U",
      "keytype": "ecdsa-sha2-nistp256",
      "scheme": "ecdsa-sha2-nistp256",
      "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY6Ya7W++7aUPzvMTrezH6Ycx3c+HOKYCcNGybJZSCJq/fd7Qa8uuAKtdIkUQtQiEKERhAmE5lMMJhP8OkDOa2g=="
    }
  ]
}

Packages that were signed after the key rotation, such as the following, are using the new keyid SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U

Package manager
[email protected]
[email protected]
[email protected]

This can be viewed by examining the dist.signatures.keyid property of a package, for instance:

[email protected]
npm view $PACKAGE dist.signatures.keyid

Assessment

• By default, cypress-io/github-action installs dependencies using a lockfile provided by the project in the workflow and it uses one of the package managers: npm, Yarn or pnpm as appropriate to do this.
• cypress-io/github-action@v6 (the only currently supported version) is set up to run under Node.js 20 provided by the GitHub Actions runner
  

  github-action/action.yml

  Lines 102 to 103 in b662908

  	runs:
  	using: 'node20'

• The GitHub Actions runner uses the version of Node.js defined in https://github.com/actions/runner/blob/main/src/Misc/externals.sh, which is currently NODE20_VERSION="20.18.2"
• Node.js v20.18.2 bundles Corepack 0.29.4
• Corepack stores a local copy of the keys from https://registry.npmjs.org/-/npm/v1/keys for verification.
• The local copy of the keys is outdated in [email protected] - [email protected]. It is updated in [email protected]
• When Corepack attempts to use a package manager that has been signed with the new keyid, it fails for the above Corepack versions that include an outdated local copy of the keys.

Recommendation

At this time, monitor and assist with third-party actions to remediate. In the examples, only Yarn Modern uses the experimental Corepack, and only because Yarn itself recommends it. If Yarn releases a new version before GitHub Actions are fixed, then review at that time whether to leave the Yarn Modern examples pinned to "packageManager": "[email protected]" or whether to update them and implement a workaround (see below).

Third-party actions

• Corepack released [email protected]

• Corepack open issue to address preventing a re-occurrence Saveguards for keyid mismatch nodejs/corepack#616

• Please don't make error of fetching latest version information if packageManager field is specified. nodejs/corepack#625

• Corepack / Node.js open issue to bundle [email protected] in Node.js LTS versions Node.js LTS rollout of minimum Corepack 0.31.0? nodejs/corepack#627 (two week's leadtime)

• GitHub Actions to update NODE20_VERSION in https://github.com/actions/runner/blob/main/src/Misc/externals.sh to include any updated Node.js 20.x version which has [email protected] or later bundled in it

GitHub Action

To work around the issue and immediately use a new package (see list above) requires setting the environment variable COREPACK_INTEGRITY_KEYS (see Corepack > Environment Variables)

COREPACK_INTEGRITY_KEYS can be set to an empty string or 0 to instruct Corepack to skip integrity checks, or to a JSON string containing custom keys.

      - name: Set alternate npm integrity keys
        run: |
          echo COREPACK_INTEGRITY_KEYS="$(curl https://registry.npmjs.org/-/npm/v1/keys | jq -c '{npm: .keys}')" >> $GITHUB_ENV

or set COREPACK_INTEGRITY_KEYS=0

[MikeMcC399]

This issue also affects packageManager versions which have not been signed with a new key, where the latest version of the packageManager has been signed with a new key. This is true currently for npm and pnpm, but not yet for Yarn.

• See issue Please don't make error of fetching latest version information if packageManager field is specified. nodejs/corepack#625