feat: add support for `COREPACK_INTEGRITY_KEYS=0` (#470)

README.md

@@ -296,8 +296,9 @@ same major line. Should you need to upgrade to a new major, use an explicit
 - `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` are supported through
   [`node-proxy-agent`](https://github.com/TooTallNate/node-proxy-agent).
 
-- `COREPACK_INTEGRITY_KEYS` can be set to an empty string to instruct Corepack
-  to skip integrity checks, or a JSON string containing custom keys.
+- `COREPACK_INTEGRITY_KEYS` can be set to an empty string or `0` to
+  instruct Corepack to skip integrity checks, or to a JSON string containing
+  custom keys.
 
 ## Troubleshooting
 

sources/corepackUtils.ts

@@ -283,7 +283,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s
 
   if (!build[1]) {
     const registry = getRegistryFromPackageManagerSpec(spec);
-    if (registry.type === `npm` && !registry.bin && process.env.COREPACK_INTEGRITY_KEYS !== ``) {
+    if (registry.type === `npm` && !registry.bin && !shouldSkipIntegrityCheck()) {
       if (signatures! == null || integrity! == null)
         ({signatures, integrity} = (await npmRegistryUtils.fetchTarballURLAndSignature(registry.package, version)));
 
@@ -432,3 +432,8 @@ export async function runVersion(locator: Locator, installSpec: InstallSpec & {s
   // the stack trace of the package manager.
   process.nextTick(Module.runMain, binPath);
 }
+
+export function shouldSkipIntegrityCheck() {
+  return process.env.COREPACK_INTEGRITY_KEYS === ``
+    || process.env.COREPACK_INTEGRITY_KEYS === `0`;
+}

sources/npmRegistryUtils.ts

@@ -1,9 +1,10 @@
-import {UsageError}   from 'clipanion';
-import {createVerify} from 'crypto';
+import {UsageError}               from 'clipanion';
+import {createVerify}             from 'crypto';
 
-import defaultConfig  from '../config.json';
+import defaultConfig              from '../config.json';
 
-import * as httpUtils from './httpUtils';
+import {shouldSkipIntegrityCheck} from './corepackUtils';
+import * as httpUtils             from './httpUtils';
 
 // load abbreviated metadata as that's all we need for these calls
 // see: https://github.com/npm/registry/blob/cfe04736f34db9274a780184d1cdb2fb3e4ead2a/docs/responses/package-metadata.md
@@ -63,7 +64,7 @@ export async function fetchLatestStableVersion(packageName: string) {
 
   const {version, dist: {integrity, signatures}} = metadata;
 
-  if (process.env.COREPACK_INTEGRITY_KEYS !== ``) {
+  if (!shouldSkipIntegrityCheck()) {
     verifySignature({
       packageName, version,
       integrity, signatures,

tests/corepackUtils.test.ts

@@ -0,0 +1,25 @@
+import {describe, it, expect}     from '@jest/globals';
+
+import {shouldSkipIntegrityCheck} from '../sources/corepackUtils';
+
+describe(`corepack utils shouldSkipIntegrityCheck`, () => {
+  it(`should return false if COREPACK_INTEGRITY_KEYS env is not set`, () => {
+    delete process.env.COREPACK_INTEGRITY_KEYS;
+    expect(shouldSkipIntegrityCheck()).toBe(false);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to 0`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = `0`;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to an empty string`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = ``;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return false if COREPACK_INTEGRITY_KEYS env is set to any other value`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = JSON.stringify({foo: `bar`});
+    expect(shouldSkipIntegrityCheck()).toBe(false);
+  });
+});