verifySignature fails when registry returns dist.signatures on package root but not on version endpoint

[sahil-pf]

Description

Corepack's verifySignature function fails with No compatible signature found in package metadata when the npm registry (JFrog Artifactory) returns dist.signatures on the package root endpoint (/<package>) but strips them from the version-specific endpoint (/<package>/<version>).

This is related to #725, but this issue specifically proposes a client-side improvement rather than waiting for the registry to fix the bug.

Reproduction

When using JFrog Artifactory as an npm registry proxy, querying the same instance for npm@11.9.0:

Version endpoint (/npm/11.9.0) — signatures missing:

{
  "dist": {
    "tarball": "https://artifactory.example.com/api/npm/npm/npm/-/npm-11.9.0.tgz",
    "shasum": "8cc4bc499c7ab52f1113985acc725572f99885b3",
    "integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA=="
  }
}

Package root (/npm) — signatures present under versions.11.9.0.dist:

{
  "dist": {
    "tarball": "https://artifactory.example.com/api/npm/npm/npm/-/npm-11.9.0.tgz",
    "shasum": "8cc4bc499c7ab52f1113985acc725572f99885b3",
    "integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA==",
    "signatures": [
      {
        "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U",
        "sig": "MEYCIQDTmejdAqE595yfEUJRrlNycmMtxUF2lbvc/2QUeacijAIhAORmTS/8EYpasfsO8aeAiFGQpWBJizpwHaWezlVr76av"
      }
    ]
  }
}

The signatures exist in the registry — Artifactory just doesn't include them when serving individual version metadata.

Error

Internal Error: No compatible signature found in package metadata
    at verifySignature (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:21999:63)
    at installVersion (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22414:7)

Impact

This breaks any CI/CD system using corepack through a JFrog Artifactory npm proxy, including GitHub Dependabot (see dependabot/dependabot-core#14612).

Suggested improvement

When verifySignature fails to find signatures on the version-specific endpoint, corepack could fall back to the package root endpoint to retrieve signatures before failing. The package root request is heavier (returns all versions), but it would only be used as a fallback when the version endpoint is missing signatures.

Alternatively, corepack could treat missing signatures from a registry that provides signing keys as a warning rather than a fatal error, similar to how npm audit signatures handles it.

Environment

• Corepack version: bundled with Node.js (as used by github/dependabot-action)
• Registry: JFrog Artifactory 7.133.6 (self-hosted) proxying registry.npmjs.org
• Affected package: any package resolved through Artifactory (e.g., npm@11.9.0)

Related

• #725 — Corepack does not work with COREPACK_NPM_REGISTRY that does not return signatures (Artifactory)
• dependabot/dependabot-core#14612 — Dependabot issue for the same problem
• dependabot/dependabot-core#10944 — PR that introduced corepack usage in Dependabot