After updating to version 0.27, I'm required to set COREPACK_INTEGRITY_KEYS="" to overcome the lack of signature keys in the payload returned by a JFrog private registry.
The environment variable is properly recognized when calling corepack directly, but it ends up ignored when corepack is spawned by other tools, such as Renovate and Jenkins. Those filter out empty environment variables, leading to an unexpected error:
/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22685
const key = keys.find(({ keyid }) => signatures.some((s) => s.keyid === keyid));
^
TypeError: Cannot read properties of undefined (reading 'some')
at /usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22685:51
at Array.find (<anonymous>)
at verifySignature (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22685:20)
at installVersion (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:23037:7)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Engine.ensurePackageManager (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:23449:32)
at async Engine.executePackageManagerRequest (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:23545:25)
at async Object.runMain (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:24232:5)
For better support reasons, I suggest that COREPACK_INTEGRITY_KEYS also support 0 and/or false as possible values for disabling the signature validation.
After updating to version
0.27
, I'm required to setCOREPACK_INTEGRITY_KEYS=""
to overcome the lack of signature keys in the payload returned by a JFrog private registry.The environment variable is properly recognized when calling
corepack
directly, but it ends up ignored whencorepack
is spawned by other tools, such as Renovate and Jenkins. Those filter out empty environment variables, leading to an unexpected error:For better support reasons, I suggest that
COREPACK_INTEGRITY_KEYS
also support0
and/orfalse
as possible values for disabling the signature validation.