Docker build fails due to Corepack PNPM signature verification error

[cgilly2fast]

Describe the Bug

Description

The current Dockerfile fails to build due to a Corepack signature verification error when trying to install PNPM. This is related to a known issue with recent versions of PNPM and Corepack (see: pnpm/pnpm#9029).

I attached my workaround for pnpm to the bottom of this write up

Error Message

=> ERROR [deps 4/4] RUN   if [ -f yarn.lock ]; then yarn --frozen-lockfile;   elif [ -f pac  2.7s 
------                                                                                             
 > [deps 4/4] RUN   if [ -f yarn.lock ]; then yarn --frozen-lockfile;   elif [ -f package-lock.json ]; then npm ci;   elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile;   else echo "Lockfile not found." && exit 1;   fi:                                              
2.702 /usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21535                             
2.702   if (key == null || signature == null) throw new Error(`Cannot find matching keyid: ${JSON.stringify({ signatures, keys })}`);
2.702                                               ^
2.702 
2.702 Error: Cannot find matching keyid: {"signatures":[{"sig":"MEYCIQDkZyZZmBzkRcQowEEFiEcGp4/xV8GBLXxTEzz9QstrsAIhAPx6tvZixjTub6GPqJa82vcWFhUU39JCtoJvcoRK/K39","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
2.702     at verifySignature (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21535:47)
2.702     at fetchLatestStableVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21553:5)
2.702     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
2.702     at async fetchLatestStableVersion2 (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21672:14)
2.702     at async Engine.getDefaultVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22292:23)
2.702     at async Engine.executePackageManagerRequest (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22390:47)
2.702     at async Object.runMain (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:23096:5)
2.702 
2.702 Node.js v22.12.0
------

 3 warnings found (use docker --debug to expand):
 - LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 44)
 - LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 67)
 - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 71)
Dockerfile:14
--------------------
  13 |     COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
  14 | >>> RUN \
  15 | >>>   if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
  16 | >>>   elif [ -f package-lock.json ]; then npm ci; \
  17 | >>>   elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile; \
  18 | >>>   else echo "Lockfile not found." && exit 1; \
  19 | >>>   fi
  20 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c if [ -f yarn.lock ]; then yarn --frozen-lockfile;   elif [ -f package-lock.json ]; then npm ci;   elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile;   else echo \"Lockfile not found.\" && exit 1;   fi" did not complete successfully: exit code: 1

Steps to Reproduce

1. Use the current Dockerfile
2. Run docker buildx build --platform linux/amd64 .
3. Build fails at the PNPM installation step due to Corepack signature verification

Working Solution

I've implemented a workaround by updating the Dockerfile to use a specific version of Corepack and PNPM. Here are the changes needed:

Add this code block in the deps and builder stages:

# Set up pnpm
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"
# Update Corepack to the version with the fix and enable PNPM
RUN npm install -g [email protected] && \
    corepack enable && \
    corepack prepare [email protected] --activate

WORKAROUND DOCKER FILE:

FROM node:22.12.0-alpine AS base

# Install dependencies only when needed
FROM base AS deps
# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
RUN apk add --no-cache libc6-compat
WORKDIR /app

# ADDED CODE 1 START
# Set up pnpm
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"

# Update Corepack to the version with the fix and enable PNPM
RUN npm install -g [email protected] && \
    corepack enable && \
    corepack prepare [email protected] --activate
# ADDED CODE 1 END

# Install dependencies based on the preferred package manager
COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
RUN \
  if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
  elif [ -f package-lock.json ]; then npm ci; \
  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile; \
  else echo "Lockfile not found." && exit 1; \
  fi


# Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .

# Next.js collects completely anonymous telemetry data about general usage.
# Learn more here: https://nextjs.org/telemetry
# Uncomment the following line in case you want to disable telemetry during the build.
# ENV NEXT_TELEMETRY_DISABLED 1

# ADDED CODE 2 START
# Set up pnpm
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"

# Update Corepack to the version with the fix and enable PNPM
RUN npm install -g [email protected] && \
    corepack enable && \
    corepack prepare [email protected] --activate
# ADDED CODE 2 END

RUN \
  if [ -f yarn.lock ]; then yarn run build; \
  elif [ -f package-lock.json ]; then npm run build; \
  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm run build; \
  else echo "Lockfile not found." && exit 1; \
  fi

# Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app

ENV NODE_ENV production
# Uncomment the following line in case you want to disable telemetry during runtime.
# ENV NEXT_TELEMETRY_DISABLED 1

RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs

# Remove this line if you do not have this folder
COPY --from=builder /app/public ./public

# Set the correct permission for prerender cache
RUN mkdir .next
RUN chown nextjs:nodejs .next

# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

USER nextjs

EXPOSE 3000

ENV PORT 3000

# server.js is created by next build from the standalone output
# https://nextjs.org/docs/pages/api-reference/next-config-js/output
CMD HOSTNAME="0.0.0.0" node server.js

Link to the code that reproduces this issue

https://github.com/payloadcms/payload/tree/main/templates/website

Reproduction Steps

Set up the payload website template with pnpm and then run docker buildx build --platform linux/amd64 .

Which area(s) are affected? (Select all that apply)

area: core

Environment Info

- Node.js version: 22.12.0-alpine
- PNPM version affected: ≥9.15.5
- Platform: Docker

[bykof]

Currently there is some problem with corepack. Updating it fixes this problem:

# Fixes: https://github.com/nodejs/corepack/issues/612#issuecomment-2630469508
RUN npm i -g corepack@latest

use this code before pnpm install and pnpm build

[mikecebul]

I was able to resolve this in my Dockerfile by adding this to my deps AND builder.

# Update and enable Corepack
RUN npm install -g corepack@latest && \
    corepack enable

Vercel recently made a guide. https://vercel.com/guides/corepack-errors-github-actions

[ARiyou2000]

The error Cannot find matching keyid: ${JSON.stringify({ signatures, keys })} in a Docker build, specifically within the context of PNPM and Corepack, indicates an issue with verifying the signatures of packages being installed. This usually arises due to a mismatch between the expected and actual keys used to sign the packages in the npm registry.

So I Updated my Node version from 20 to 22 and it worked!

- FROM node:20-alpine AS base
+ FROM node:22-alpine AS base

[virtualathlete]

I fixed it by updating the node image from:
node:22.12.0-alpine
to:
node:22.15.0-alpine

To use this Dockerfile, you have to set output: 'standalone' in your next.config.js file.

From https://github.com/vercel/next.js/blob/canary/examples/with-docker/Dockerfile

FROM node:22.15.0-alpine AS base

Install dependencies only when needed

FROM base AS deps

Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.

RUN apk add --no-cache libc6-compat
WORKDIR /app

Install dependencies based on the preferred package manager

COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
RUN
if [ -f yarn.lock ]; then yarn --frozen-lockfile;
elif [ -f package-lock.json ]; then npm ci;
elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile;
else echo "Lockfile not found." && exit 1;
fi

Rebuild the source code only when needed

FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .

Next.js collects completely anonymous telemetry data about general usage.

Learn more here: https://nextjs.org/telemetry

Uncomment the following line in case you want to disable telemetry during the build.

ENV NEXT_TELEMETRY_DISABLED 1

RUN
if [ -f yarn.lock ]; then yarn run build;
elif [ -f package-lock.json ]; then npm run build;
elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm run build;
else echo "Lockfile not found." && exit 1;
fi

Production image, copy all the files and run next

FROM base AS runner
WORKDIR /app

ENV NODE_ENV production

Uncomment the following line in case you want to disable telemetry during runtime.

ENV NEXT_TELEMETRY_DISABLED 1

RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs

Remove this line if you do not have this folder

COPY --from=builder /app/public ./public

Set the correct permission for prerender cache

RUN mkdir .next
RUN chown nextjs:nodejs .next

Automatically leverage output traces to reduce image size

https://nextjs.org/docs/advanced-features/output-file-tracing

COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

USER nextjs

EXPOSE 3000

ENV PORT 3000

server.js is created by next build from the standalone output

https://nextjs.org/docs/pages/api-reference/next-config-js/output

CMD HOSTNAME="0.0.0.0" node server.js

[denolfe]

This error was due to a key rotation issue with corepack, large thread here: nodejs/corepack#612

There area few workarounds in that thread. Here is one solution specifically that should work for you.

Closing this as it is not directly related to Payload.