`COREPACK_INTEGRITY_KEYS` being ignored when corepack is spawned by other tools

[lsrocha]

After updating to version 0.27, I'm required to set COREPACK_INTEGRITY_KEYS="" to overcome the lack of signature keys in the payload returned by a JFrog private registry.

The environment variable is properly recognized when calling corepack directly, but it ends up ignored when corepack is spawned by other tools, such as Renovate and Jenkins. Those filter out empty environment variables, leading to an unexpected error:

/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22685
const key = keys.find(({ keyid }) => signatures.some((s) => s.keyid === keyid));
                                                  ^

TypeError: Cannot read properties of undefined (reading 'some')
    at /usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22685:51
    at Array.find (<anonymous>)
    at verifySignature (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22685:20)
    at installVersion (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:23037:7)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Engine.ensurePackageManager (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:23449:32)
    at async Engine.executePackageManagerRequest (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:23545:25)
    at async Object.runMain (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:24232:5)

For better support reasons, I suggest that COREPACK_INTEGRITY_KEYS also support 0 and/or false as possible values for disabling the signature validation.

[aduh95]

That makes sense, do you want to send a PR?

[lsrocha]

@aduh95 Nice. I will prepare it.