Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing pnpm 10.1.0 on windows fails with cannot find matching keyid #9014

Closed
2 of 4 tasks
akaltar opened this issue Jan 27, 2025 · 9 comments
Closed
2 of 4 tasks

Installing pnpm 10.1.0 on windows fails with cannot find matching keyid #9014

akaltar opened this issue Jan 27, 2025 · 9 comments
Labels
type: bug

Comments

@akaltar
Copy link

akaltar commented Jan 27, 2025
edited
Loading

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

10.1.0

Which area(s) of pnpm are affected? (leave empty if unsure)

Operating System (Windows, MacOS, Linux)

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

corepack install --global pnpm@10.1.0
or even pnpm self-update fails

Oddly installing any other pnpm version seems to work, and the error isn't the same as when trying to install a non-existent version

Describe the Bug

Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEUCIQDlkgmNyZjT7KUY8AO6jH7Gs3fyiXG8nbTnuLbd8fOS2AIgXyJ6SaYhumMFzUYQAZPJGhsnlaD5N0X2MZsbG+eS/Xo=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:22688:11)
    at installVersion (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:23037:7)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Engine.ensurePackageManager (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:23449:32)
    at async InstallGlobalCommand.installFromDescriptor (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:23846:5)
    at async InstallGlobalCommand.execute (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:23828:9)
    at async InstallGlobalCommand.validateAndExecute (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:20954:22)
    at async _Cli.run (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:21929:18)
    at async Object.runMain (C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs:24227:18)

Expected Behavior

pnpm 10.1.0 gets installed

Which Node.js version are you using?

Node.js v22.1.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response
@MikeMcC399
Copy link

It affects all operating systems

@MikeMcC399 MikeMcC399 mentioned this issue Jan 27, 2025
Open
@wraithgar
Copy link

https://registry.npmjs.org/-/npm/v1/keys should now be returning two keys. During key rotation the old one was omitted by mistake and has since been re-added. CDN caching will of course take a little time to catch up but both the SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA key (which was used to sign tarballs up until last week) and the SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U key (which is being used going forward) are both in that endpoint, which should allow folks to verify signatures again.

@MikeMcC399

This comment has been minimized.

Sign in to view
@MikeMcC399
Copy link

@akaltar

There has been a new release corepack@0.31.0 with updated npm keys.

After a manual install:

npm install -g corepack@latest

I was then able to execute the following successfully:

corepack use pnpm@10.1.0

@akaltar
Copy link
Author

akaltar commented Jan 28, 2025

In any case this wasn't an issue with pnpm directly. Thanks!

@akaltar akaltar closed this as completed Jan 28, 2025
@zkochan
Copy link
Member

zkochan commented Jan 28, 2025

Szia! Great to see that people started using v10. I am still a bit terrified to make it latest due to the big change with blocking scripts of dependencies by default.

@Swivelgames Swivelgames mentioned this issue Jan 29, 2025
Open
@akaltar
Copy link
Author

akaltar commented Jan 29, 2025

Szia!
I've found it very easy to upgrade in cases where we were already on pnpm 9, since on install it lists all blocked scripts, it's very easy to just add them to the "onlyBuiltDependencies" array.

I've actually had more issues with eslint breaking where we haven't updated to eslint 9 yet. Even when I knew the issue it required a bit of fiddling, because the syntax and location where you specify the public hoist pattern was very odd + because in some cases it was due to a missing package in the package.json in a monorepo

Another possible breakage I can see is people relying on the post-install scripts being run regardless of packages needing update, although we haven't seen this yet. For example we had a graphql generation on post-install and I can imagine it taking some people by surprise that it doesn't run due to the new caching.

And last but not least even with the corepack update fixing 10.1.0 in theory, on windows there is no neat way to update corepack, npm install -g or pnpm install -g doesn't replace the initial command, but that's again a separate issue unrelated to pnpm.

@MikeMcC399
Copy link

Workaround for keyid issues using Corepack 0.27.0 to 0.30.0 releases with pnpm@10.1.0:

Bash

SHA_SUM=$(npm view pnpm@10.1.0 dist.shasum)
corepack install -g pnpm@10.1.0+sha1.$SHA_SUM

Windows PowerShell

$SHA_SUM = npm view pnpm@10.1.0 dist.shasum
corepack install -g pnpm@10.1.0+sha1.$SHA_SUM

This may be needed for pnpm releases after 10.1.0 until an update of Corepack is packaged with Node.js and released. Just replace the pnpm version in the above shell script snippets with any new version.

@leonhelmus
Copy link

Thanks for the solution @MikeMcC399

@poffdeluxe poffdeluxe mentioned this issue Jan 31, 2025
Draft
@LucienLeMagicien LucienLeMagicien mentioned this issue Jan 31, 2025
Closed
2 tasks
steverice added a commit to steverice/typespec that referenced this issue Feb 3, 2025
@steverice
Upgrade corepack to fix key integrity issue
e4b6c08 
This should fix the issue
```microsoft#10 0.515 Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
```

when running docker builds. See pnpm/pnpm#9014 (comment) for more context.
@steverice steverice mentioned this issue Feb 3, 2025
Merged
steverice added a commit to steverice/typespec that referenced this issue Feb 3, 2025
@steverice
Upgrade corepack to fix key integrity issue
ce28855 
This should fix the issue
```
Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
```

when running docker builds. See pnpm/pnpm#9014 (comment) for more context.
tjmw added a commit to guardian/support-service-lambdas that referenced this issue Feb 3, 2025
@tjmw
Use latest corepack
210ca82 
We started seeing issues with pnpm signatures, which is apparently fixed
with a later corepack release.

See pnpm/pnpm#9014
@tjmw tjmw mentioned this issue Feb 3, 2025
Merged
tjmw added a commit to guardian/support-service-lambdas that referenced this issue Feb 3, 2025
@tjmw
Use latest corepack (#2666)
a738d6a 
We started seeing issues with pnpm signatures, which is apparently fixed
with a later corepack release.

See pnpm/pnpm#9014.
@andrewHEguardian andrewHEguardian mentioned this issue Feb 3, 2025
Merged
andrewHEguardian added a commit to guardian/csnx that referenced this issue Feb 3, 2025
@andrewHEguardian
Use specific corepack version (#1923)
3480b77 
## What are you changing?

- Use a specific version of corepack

## Why?

- The build is failing, see pnpm/pnpm#9014.
This is a proposed fix also used in
guardian/support-service-lambdas#2666
github-merge-queue bot pushed a commit to microsoft/typespec that referenced this issue Feb 3, 2025
@steverice
Upgrade corepack to fix key integrity issue (#5837)
697b15e 
This should fix the issue
```
Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
```

when running docker builds. See
pnpm/pnpm#9014 (comment) for
more context.

On my machine, I've run `docker build -f ./docker/Dockerfile .` before
and after this change. Before I get the integrity error, after
everything works again.
yusing pushed a commit to yusing/go-proxy-frontend that referenced this issue Feb 4, 2025
fix build error cause by pnpm issue
d54d3e9 
See pnpm/pnpm#9014
@zer0-star zer0-star mentioned this issue Feb 4, 2025
Merged
@scmmishra scmmishra mentioned this issue Feb 5, 2025
Merged
pranavrajs pushed a commit to chatwoot/chatwoot that referenced this issue Feb 5, 2025
@scmmishra @vishnu-narayanan
fix: Corepack pnpm issue (#10840)
f2a7e1d 
So, a while back Circle CI builds and Heroku builds started to fail. 

From all the threads I read, it seems like the [npm registry rotated
it's signing
keys](pnpm/pnpm#9014 (comment))
New pnpm versions were signed with the new key. Corepack, however,
bundles a static set of trusted keys (from Node’s release), so it
continued verifying signatures only against the old key. When it
encountered packages signed with the new key, Corepack’s integrity check
failed with “Cannot find matching keyid” errors.This mismatch caused
Corepack’s integrity check to fail with “Cannot find matching keyid”
errors.

Workarounds include the following

1. Updating Corepack (to 0.31.0), they [upgraded their
package](https://github.com/nodejs/corepack/releases/tag/v0.31.0) to
include the new integrity check keys. But we seldom control what's going
on with the CI, also, updating this across our scripts is going to be a
painful task. Besides Heroku has [made some
fixes](heroku/buildpacks-nodejs#1010) around
this
2. Disabling integrity checks 🔥 #YOLO
3. Pinning `pnpm` to older versions, or pinning it to a newer version
with the checksum in place.

Doing the third one here, running `corepack use pnpm@9.15.5` fixes this,
[ref](pnpm/pnpm#9014 (comment))

We can get rid of this over time as CDN caches used by build systems are
refreshed. But the change in this PR is not disruptive in anyway, only
rigidly secure.

Fixes: #10832

---

Here are the threads to follow 

- pnpm/pnpm#9014
- pnpm/pnpm#9029
- nodejs/corepack#612
- nodejs/corepack#616
- heroku/buildpacks-nodejs#1010

---------

Co-authored-by: Vishnu Narayanan <vishnu@chatwoot.com>
@gibeom0218 gibeom0218 mentioned this issue Feb 6, 2025
Merged
3 tasks
xtexx added a commit to AOSC-Dev/aosc-os-abbs that referenced this issue Feb 8, 2025
@xtexx
nodejs-22: backport corepack update to 0.31.0
866c992 
This backports node update of corepack to 0.31.0, updating npmjs.org
keys pinned by corepack.

This should fix the following error:

corepack install -g pnpm@10.2.1
Installing pnpm@10.2.1...
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDkZyZZmBzkRcQowEEFiEcGp4/xV8GBLXxTEzz9QstrsAIhAPx6tvZixjTub6GPqJa82vcWFhUU39JCtoJvcoRK/K39","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}

Link: pnpm/pnpm#9014
Link: nodejs/corepack#612
Link: misskey-dev/misskey#15386
Link: https://github.com/nodejs/corepack/releases/tag/v0.31.0
Link: nodejs/node@63c1859
Link: nodejs/node#56795
Backport-of: 63c1859e019465cbb0b6b46ba0d481fb41d94a22
Reviewed-by: xtex <xtex@aosc.io>
Signed-off-by: xtex <xtex@aosc.io>
@xtexx xtexx mentioned this issue Feb 8, 2025
Merged
6 tasks
xtexx added a commit to AOSC-Dev/aosc-os-abbs that referenced this issue Feb 8, 2025
@xtexx
nodejs-22: backport corepack update to 0.31.0
1b219cf 
This backports node update of corepack to 0.31.0, updating npmjs.org
keys pinned by corepack.

The patch should be removed after nodejs 22.14.0 proposal gets released.

This should fix the following error:

corepack install -g pnpm@10.2.1
Installing pnpm@10.2.1...
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDkZyZZmBzkRcQowEEFiEcGp4/xV8GBLXxTEzz9QstrsAIhAPx6tvZixjTub6GPqJa82vcWFhUU39JCtoJvcoRK/K39","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}

Link: nodejs/node#56910
Link: pnpm/pnpm#9014
Link: nodejs/corepack#612
Link: misskey-dev/misskey#15386
Link: https://github.com/nodejs/corepack/releases/tag/v0.31.0
Link: nodejs/node@63c1859
Link: nodejs/node#56795
Backport-of: 63c1859e019465cbb0b6b46ba0d481fb41d94a22
Reviewed-by: xtex <xtex@aosc.io>
Signed-off-by: xtex <xtex@aosc.io>
MingcongBai pushed a commit to AOSC-Dev/aosc-os-abbs that referenced this issue Feb 8, 2025
@xtexx @MingcongBai
nodejs-22: backport corepack update to 0.31.0
8a3ee1c 
This backports node update of corepack to 0.31.0, updating npmjs.org
keys pinned by corepack.

The patch should be removed after nodejs 22.14.0 proposal gets released.

This should fix the following error:

corepack install -g pnpm@10.2.1
Installing pnpm@10.2.1...
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDkZyZZmBzkRcQowEEFiEcGp4/xV8GBLXxTEzz9QstrsAIhAPx6tvZixjTub6GPqJa82vcWFhUU39JCtoJvcoRK/K39","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}

Link: nodejs/node#56910
Link: pnpm/pnpm#9014
Link: nodejs/corepack#612
Link: misskey-dev/misskey#15386
Link: https://github.com/nodejs/corepack/releases/tag/v0.31.0
Link: nodejs/node@63c1859
Link: nodejs/node#56795
Backport-of: 63c1859e019465cbb0b6b46ba0d481fb41d94a22
Reviewed-by: xtex <xtex@aosc.io>
Signed-off-by: xtex <xtex@aosc.io>
flynncao added a commit to flynncao/afanime that referenced this issue Feb 11, 2025
@flynncao
fix(docker.build): init pnpm error due to pnpm/pnpm#9014
ba2b4f6
flynncao added a commit to flynncao/afanime that referenced this issue Feb 11, 2025
@flynncao
fix(docker): error during build pnpm/pnpm#9014
d998fc2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wraithgar @zkochan @akaltar @leonhelmus @MikeMcC399