Corepack Signature Mismatch - Fix "does not match signature" in CI
Corepack provisions the exact package-manager version pinned in packageManager and verifies its integrity hash/signature. A mismatch means the downloaded artifact did not match the recorded hash - usually a corrupted fetch or a stale Corepack, occasionally a wrong pinned hash.
What this error means
Corepack aborts before your install runs, reporting that the downloaded package manager does not match the expected signature/hash from the packageManager field. Re-running on a clean runner sometimes succeeds, which points at a transient/corrupted download.
Error: Mismatch hashes. Expected sha224.abc..., got sha224.def...
at validateStream (.../corepack/dist/lib/corepack.cjs)
# packageManager: "pnpm@9.7.0+sha224.<hash>"Common causes
A corrupted or partial download
Corepack fetches the package-manager binary; a truncated or proxy-mangled download hashes differently from the pinned value, so verification fails.
A stale Corepack with an old key/hash set
An outdated bundled Corepack may not validate a newer release’s signature correctly, producing a mismatch.
A wrong hash in the packageManager field
If the packageManager hash was hand-edited or corrupted, it will never match the real artifact.
How to fix it
Update Corepack and re-provision
Install a current Corepack, then let it provision the pinned version.
npm install -g corepack@latest
corepack enable
corepack prepare --activate
pnpm installRecover the download path
- Retry the job - a corrupted fetch usually succeeds on a clean runner.
- Ensure the proxy allows Corepack’s download host so the artifact arrives intact.
- If the hash is genuinely wrong, regenerate the packageManager field with corepack use.
How to prevent it
- Keep Corepack current in CI images.
- Pin packageManager with a valid version+hash via corepack use.
- Allow Corepack’s download host through proxies.