When the user has not provided any hash (so when running `corepack up`/`corepack use …`), and the package manager is downloaded from the npm registry, we can verify the signature.
BREAKING CHANGE: attempting to download a version from the npm registry (or a mirror) that was published using the now deprecated PGP signature without providing a hash will trigger an error. Users can disable the signature verification using a environment variable.
* test: store nocks in a sqlite3 database
* chore: remove nock files
* refactor: reuse statement
* Update tests/recordRequests.js
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
* refactor: only create statements when needed
* refactor: move nocks db up one level
* fix: close db on exit
---------
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>