Corepack does not work with COREPACK_NPM_REGISTRY that does not return signatures (Artifactory)

Open dhardtke opened this issue 6 months ago • 1 comments

Related to https://github.com/nodejs/corepack/issues/537 and https://github.com/nodejs/corepack/issues/570

Corepack does not work with our registry as it does not return the field dist.signatures. Here's a comparison of https://registry.npmjs.org/pnpm/10.12.4 and <our-artifactory-host>/artifactory/api/npm/default-npm-3rdparty/pnpm/10.12.4

npmjs:

"dist": {
    "shasum": "88a0ccfe72d6345dede50dc9d6158400be2420eb",
    "tarball": "https://registry.npmjs.org/pnpm/-/pnpm-10.12.4.tgz",
    "fileCount": 1111,
    "integrity": "sha512-Xqiw3u2U7WhpHJutTJVUknBcXuuKh++GvGLHSiawN7CP+VcPEIsuTb0d0akYb+qSXlJ/FBxkjoWvRWMQdGgBhA==",
    "signatures": [
      {
        "sig": "MEUCIHgFNYCynawsQj2TFih8MSo5NU8irHoWSjYIWoFdjXsUAiEArLjxP+kP0pDgYCk1HfGfrLjxph157UO/0WcQTCDmxTM=",
        "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"
      }
    ],
    "unpackedSize": 17665923
  },

artifactory:

"dist" : {
    "tarball" : "<our-artifactory-host>/artifactory/api/npm/default-npm-3rdparty/pnpm/-/pnpm-10.12.4.tgz",
    "shasum" : "88a0ccfe72d6345dede50dc9d6158400be2420eb",
    "integrity" : "sha512-Xqiw3u2U7WhpHJutTJVUknBcXuuKh++GvGLHSiawN7CP+VcPEIsuTb0d0akYb+qSXlJ/FBxkjoWvRWMQdGgBhA=="
  },

Interestingly, <our-artifactory-host>/artifactory/api/npm/default-npm-3rdparty/pnpm/ returns the dist field just like npmjs, including signatures.

So maybe it is feasible to fetch the whole JSON for all versions as a fallback?

Jun 28 '25 20:06 dhardtke

Hi @dhardtke,

Corepack provides an environment variable to disable the signature check: COREPACK_INTEGRITY_KEYS. If you set it to 0, it should work.

Jul 08 '25 10:07 lsrocha