Corepack "Signature verification failed" / Cannot Download - Fix in CI
Corepack downloads the exact yarn/pnpm version pinned by packageManager and verifies its signature. CI failures here are usually a stale Corepack, a blocked download, or an outdated key bundle.
What this error means
Enabling or running a package manager via Corepack fails with a signature/keyid error or a failed download, before your own install even starts. Re-running on a fresh runner sometimes works, pointing at network or a stale Corepack.
Error: Cannot find matching keyid: {"signatures":[...]}
at verifySignature (.../corepack/dist/lib/corepack.cjs)
Internal Error: Failed to fetch the latest version of pnpmCommon causes
An outdated Corepack with a stale key set
Corepack ships signing keys; an old bundled Corepack may not recognize a newer package-manager release’s signature, producing a keyid error.
The package-manager download was blocked or flaky
Corepack fetches the binary from the registry/CDN. A proxy block or transient failure aborts the download.
How to fix it
Update Corepack, then enable
Install a current Corepack so its key bundle recognizes recent releases.
npm install -g corepack@latest
corepack enable
corepack prepare pnpm@9.7.0 --activate
pnpm installHandle the download path
- Retry the job - a flaky CDN fetch usually recovers.
- Ensure the proxy allows Corepack’s download host.
- Pre-cache the package-manager binary in the runner image for offline-ish CI.
How to prevent it
- Keep Corepack current in CI images.
- Pin packageManager for reproducible provisioning.
- Allow Corepack’s download host through proxies.