Skip to content
Latchkey

Corepack "Signature verification failed" / Cannot Download - Fix in CI

Corepack downloads the exact yarn/pnpm version pinned by packageManager and verifies its signature. CI failures here are usually a stale Corepack, a blocked download, or an outdated key bundle.

What this error means

Enabling or running a package manager via Corepack fails with a signature/keyid error or a failed download, before your own install even starts. Re-running on a fresh runner sometimes works, pointing at network or a stale Corepack.

Corepack output
Error: Cannot find matching keyid: {"signatures":[...]}
    at verifySignature (.../corepack/dist/lib/corepack.cjs)
Internal Error: Failed to fetch the latest version of pnpm

Common causes

An outdated Corepack with a stale key set

Corepack ships signing keys; an old bundled Corepack may not recognize a newer package-manager release’s signature, producing a keyid error.

The package-manager download was blocked or flaky

Corepack fetches the binary from the registry/CDN. A proxy block or transient failure aborts the download.

How to fix it

Update Corepack, then enable

Install a current Corepack so its key bundle recognizes recent releases.

Terminal
npm install -g corepack@latest
corepack enable
corepack prepare pnpm@9.7.0 --activate
pnpm install

Handle the download path

  1. Retry the job - a flaky CDN fetch usually recovers.
  2. Ensure the proxy allows Corepack’s download host.
  3. Pre-cache the package-manager binary in the runner image for offline-ish CI.

How to prevent it

  • Keep Corepack current in CI images.
  • Pin packageManager for reproducible provisioning.
  • Allow Corepack’s download host through proxies.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →