unhelpful error handling for integrity keys

[aep-sunlife]

When connecting corepack to a custom NPM registry such as Artifactory, then corepack presents unhelpful error messages about JSON objects missing keys.

++ yarn install
/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22457
  const key = keys.find(({ keyid }) => signatures.some((s) => s.keyid === keyid));
                                                  ^

TypeError: Cannot read properties of undefined (reading 'some')
    at /opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22457:51
    at Array.find (<anonymous>)
    at verifySignature (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22457:20)
    at fetchLatestStableVersion (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22478:5)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async fetchLatestStableVersion2 (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:22598:14)
    at async Engine.getDefaultVersion (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:23208:23)
    at async Engine.executePackageManagerRequest (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:23300:47)
    at async Object.runMain (/opt/cloudbees/jenkins/.nvm/versions/node/v20.16.0/lib/node_modules/corepack/dist/lib/corepack.cjs:24007:5)

This error is far too low level to communicate to the user what the real problem is: corepack is presently configured to expect packages to be signed by integrity keys, but the signatures are either missing or do not match the configured integrity keys.

Additionally, squirreled away in GitHub issues is a tip about setting a COREPACK_INTEGRITY_KEYS environment variable. To a blank, empty string. Or to zero. Or to false.

It would be helpful for error messages about integrity mismatches to link to a dedicated corepack integrity key documentation page. The page should explain loudly, clearly, and early, that in practice, integrity violations may indicate a middle man attack injection malware into any packages downloaded via corepack and/or yarn.

Secondly, the documentation page should show the correct syntax for configuring actual integrity keys.

Third, the documentation page should pick just one value, e.g. blank string ("") to indicate when the user chooses to exlicitly disregard integrity checks. This option should come with a warning that disabling integrity checks invites malware.

[aduh95]

Would you like to send a PR?

[Swivelgames]

I'm not sure what changed in the past week or two, but our CI/CD is now breaking due to this error.

Apparently the solution is to manually update corepack. After I found this issue, I started drafting a comment and stumbled upon pnpm#9014 that was marked resolved yesterday. 👍

Snatched from the other issue, the following resolves the issue:

npm install -g corepack@latest

This allowed me to successfully active pnpm:

corepack enable
corepack prepare pnpm@latest-10 --activate

This makes sense give OpenJS's decision to remove corepack from Node.js and maintain it separately going forward. It's probably best to install it separately as instructed in this repo's README going forward.

---

Here's the logs from the original issue:

$ corepack enable
$ corepack prepare pnpm@latest-10 --activate
Preparing pnpm@latest-10 for immediate activation...
Internal Error: Cannot find matching keyid: {"signatures":[{"sig":"MEUCIQDlkgmNyZjT7KUY8AO6jH7Gs3fyiXG8nbTnuLbd8fOS2AIgXyJ6SaYhumMFzUYQAZPJGhsnlaD5N0X2MZsbG+eS/Xo=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21535:47)
    at installVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21882:7)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Engine.ensurePackageManager (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22316:32)
    at async PrepareCommand.execute (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:23025:27)
    at async PrepareCommand.validateAndExecute (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:19835:22)
    at async _Cli.run (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:20772:18)
    at async Object.runMain (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:23097:19)
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1

[MikeMcC399]

@Swivelgames

I'm not sure what changed in the past week or two, but our CI/CD is now breaking due to this error.

• Unfortunately the npm registry made a mistake when they rotated their keys. See Newly published versions of package managers distributed from npm cannot be installed due to key id mismatch #612 (comment)

There should probably be a review between npm registry and Corepack to see if anything can be done to prevent this type of issue from occurring again.

• Edit: I opened Saveguards for keyid mismatch #616 with some related questions

[Swivelgames]

Thanks @MikeMcC399!

@aep-sunlife I think we can safely close this 👍

[MikeMcC399]

@Swivelgames

I don't think this issue should be closed, because it is about presenting a more readable error message.