vercel-logotype Logovercel-logotype Logo
← Back to Guides

“Cannot Find Matching Keyid” Errors or “Corepack/PNPM Not Found” on GitHub Actions

How to debug and address this corepack issue with GitHub Actions.
Last updated on February 3, 2025
Build, Deployment & Git

If your builds suddenly fail with messages like cannot find matching keyid: {"signatures":[...],"keys":[...]}, it usually means npm registry keys have been rotated, and your older Corepack can’t verify new versions of pnpm (like 9.15.4 or 10.1.0+).

This can happen on GitHub Actions, GitLab, Docker, or anywhere else you’re using Corepack to manage package managers.

  1. Check Node.js version: node -v (If you see v16.x, you’re on Node 16; if you see v18.x or higher, you’re on Node 18+.)
  2. Check Corepack version: corepack --version. Anything older than 0.31.0 may not have the new key set.
  3. Look for conditional logic. Some workflows only update Corepack on Node 16. If you’re building on Node 18+, that logic might skip the update entirely.

Upgrade to the latest Corepack (≥ 0.31.0):

steps:
  - name: Use Latest Corepack
    run: |
      echo "Before: corepack version => $(corepack --version || echo 'not installed')"
      npm install -g corepack@latest
      echo "After : corepack version => $(corepack --version)"
      corepack enable
      pnpm --version

This ensures you have the new signing keys that match the npm registry changes.

Use Corepack 0.20, which is the last release that still supports Node 16 and includes the updated keys for recent pnpm versions:

steps:
  - name: Pin Corepack 0.20
    run: |
      echo "Before: corepack => $(corepack --version || echo 'not installed')"
      npm install -g corepack@0.20
      echo "After : corepack => $(corepack --version)"
      corepack enable
      pnpm --version

After 0.20, newer Corepack versions drop Node 16 support, so this is a safe “stopgap” if you can’t move off Node 16 yet.

While setting COREPACK_INTEGRITY_KEYS=0 (to skip signature checks) can bypass the error, it also bypasses important security. Use that approach only if you fully understand the risks.

  1. Check your Node and Corepack versions.
  2. Upgrade to Corepack ≥ 0.31.0 if you’re on Node 18+ (or pinned to 0.20 if you need Node 16).
  3. Remove any conditional logic that prevents the Corepack upgrade from running on your actual environment.
  4. Done! Your CI builds should succeed, and you stay secure.

For more details, see Corepack Issue #612 and the Corepack Releases.

Couldn't find the guide you need?