Skip to content
Latchkey

Corepack "signature verification failed" in CI

Corepack verifies the integrity signature of the package-manager release it downloads. Verification failed because the Corepack bundled with your Node is older than the signing keys used for the requested pnpm/yarn version.

What this error means

corepack prepare or an auto-managed pnpm/yarn invocation fails with "Signature does not match" or "signature verification failed". It started after pinning a newer package-manager version with an older Node/Corepack.

node
Error: Cannot find matching keyid: {"signatures":[...]}
Internal Error: Signature does not match - corepack signature verification failed

Common causes

Stale Corepack bundled with Node

The Corepack version shipped with the pinned Node predates the signing keys for the requested package-manager release.

Pinned a very new package-manager version

packageManager points at a release signed with keys the old Corepack does not know.

How to fix it

Update Corepack

Install a newer Corepack that knows the current signing keys, then enable it.

Terminal
npm install -g corepack@latest
corepack enable
corepack prepare pnpm@9.7.0 --activate

Use a Node version with current Corepack

Bump the runner Node so its bundled Corepack matches the package-manager release you pin.

  1. Raise the Node version in the workflow.
  2. Align the packageManager field with a release that Node version can verify.
  3. Re-run corepack prepare to confirm verification passes.

How to prevent it

  • Keep Corepack updated alongside the package-manager version you pin.
  • Match the Node version to the package-manager release in packageManager.
  • Avoid pinning a package-manager release newer than the runner Corepack can verify.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →