When the user has not provided any hash (so when running corepack up/corepack use …), and the package manager is downloaded from the npm registry, we can verify the signature.
BREAKING CHANGE: attempting to download a version from the npm registry (or a mirror) that was published using the now deprecated PGP signature (Yarn ≤1.22.18, Yarn Berry ≤4.0.0-rc.43, pnpm ≤8.4.0) without providing a hash will trigger an error. Users can disable the signature verification by setting COREPACK_INTEGRITY_KEYS="".
When the user has not provided any hash (so when running
corepack up
/corepack use …
), and the package manager is downloaded from the npm registry, we can verify the signature.Related to https://github.com/nodejs/corepack/issues/10.
BREAKING CHANGE: attempting to download a version from the npm registry (or a mirror) that was published using the now deprecated PGP signature (Yarn ≤1.22.18, Yarn Berry ≤4.0.0-rc.43, pnpm ≤8.4.0) without providing a hash will trigger an error. Users can disable the signature verification by setting
COREPACK_INTEGRITY_KEYS=""
.