[Self-Host] Docker Build Fails with "Cannot find matching keyid" Error During PNPM Install

[piotrstarzynski]

When attempting to build a Docker image, the build process fails during the pnpm install --frozen-lockfile (or pnpm install --prod --frozen-lockfile) step with an error indicating a missing key ID. The error message is:

Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21535:47)
    ...
Node.js v20.18.2

The error prevents the Docker build from completing successfully.

To Reproduce
Clone the repository or obtain the Docker configuration files.
Run docker compose build --no-cache (or a similar build command).
Observe that the build halts with the "Cannot find matching keyid" error while installing packages with PNPM.

Expected Behavior
The Docker image should build without throwing a key-matching error, completing the pnpm install step successfully.

[ftonato]

Hi @piotrstarzynski,

Thank you for reaching out! I’ll be assisting you with your questions or issues. I will take a look at it and provide you with an update once I have one 😉

[ftonato]

Hello @piotrstarzynski,

After trying some things, I made this change and worked as expected for me, do you mind trying too?

---

These are the first lines of the Dockerfile firecrawl/apps/api/Dockerfile.

FROM node:20-slim AS base
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"
LABEL fly_launch_runtime="Node.js"
RUN npm install -g pnpm@8.15.5
COPY . /app
WORKDIR /app

After changing it, these were the steps:

1. cd apps/api/
2. rm -rf node_modules && rm -rf pnpm-lock.yaml
3. pnpm install
4. docker compose build && docker compose up -d

[piotrstarzynski]

Hello @ftonato,

Yeah, of course. I am not sure if I did it right.

When trying:

pnpm install
Command 'pnpm' not found, did you mean:
  command 'npm' from deb npm (8.5.1~ds-1)
Try: apt install <deb name>

Tried this:

# Install Node.js if not already installed
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt-get install -y nodejs

# Install PNPM globally
npm install -g pnpm

When building after got this:

 => [api build 3/4] RUN pnpm install                                       3.5s
 => ERROR [api build 4/4] RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN    13.2s
------
 > [api build 4/4] RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN     bash -c 'export SENTRY_AUTH_TOKEN="$(cat /run/secrets/SENTRY_AUTH_TOKEN)"; if [ -z $SENTRY_AUTH_TOKEN ]; then pnpm run build:nosentry; else pnpm run build; fi':
0.278 cat: /run/secrets/SENTRY_AUTH_TOKEN: No such file or directory
0.781 
0.781 > firecrawl-scraper-js@1.0.0 build:nosentry /app
0.781 > tsc
0.781 
12.97 src/lib/extract/reranker.ts(34,5): error TS2322: Type '(string | Record<string, string>)[]' is not assignable to type 'string[]'.
12.97   Type 'string | Record<string, string>' is not assignable to type 'string'.
12.97     Type 'Record<string, string>' is not assignable to type 'string'.
12.97 src/lib/logger.ts(8,41): error TS18046: 'info.metadata' is of type 'unknown'.
12.97 src/lib/logger.ts(8,71): error TS18046: 'info.metadata' is of type 'unknown'.
12.97 src/scraper/scrapeURL/lib/removeUnwantedElements.ts(3,10): error TS2305: Module '"cheerio/dist/commonjs"' has no exported member 'AnyNode'.
13.03  ELIFECYCLE  Command failed with exit code 2.
------
failed to solve: process "/bin/sh -c bash -c 'export SENTRY_AUTH_TOKEN=\"$(cat /run/secrets/SENTRY_AUTH_TOKEN)\"; if [ -z $SENTRY_AUTH_TOKEN ]; then pnpm run build:nosentry; else pnpm run build; fi'" did not complete successfully: exit code: 1

And I gave up.

Btw. it was working like a charm, but after docker compose down it stopped and threw errors.

Thanks for help.

[daniel5gh]

Ran into the same, apparently this is because of signing keys embedded into corepack and those are no longer valid because of a rotation (nodejs/corepack#616). The node:20-slim doesn't have updated keys. node:23-slim does have them.

I updated

firecrawl/apps/api/Dockerfile

Line 1 in 5894076

FROM node:20-slim AS base

to use node:23-slim and the images do build. I have no idea if the project works with 23 instead of 20 though.

[daniel5gh]

there is still the sentry auth token error during build mentioned by @piotrstarzynski

#34 [api build 4/4] RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN     bash -c 'export SENTRY_AUTH_TOKEN="$(cat /run/secrets/SENTRY_AUTH_TOKEN)"; if [ -z $SENTRY_AUTH_TOKEN ]; then pnpm run build:nosentry; else pnpm run build; fi'
#34 0.357 cat: /run/secrets/SENTRY_AUTH_TOKEN: No such file or directory
#34 0.599 
#34 0.599 > firecrawl-scraper-js@1.0.0 build:nosentry /app
#34 0.599 > tsc
#34 0.599
#34 DONE 6.4s

but it does correctly run build:nosentry albeit a bit rough with that error. I guess we miss the equivalent of --secret id=SENTRY_AUTH_TOKEN and I don't know how that works with compose.

After running the image, there was a sentry import error. I solved this by simply commenting out the contents of services/firecrawl/apps/api/src/services/sentry.ts - also very hacky, but good enough for me for now.

The service is listening on 3002 at least.

[th1nkful]

I stumbled onto this while debugging the same error for an unrelated project, and came across this on the pnpm repo, thought it might help here: pnpm/pnpm#9029

[namhnz]

I stumbled onto this while debugging the same error for an unrelated project, and came across this on the pnpm repo, thought it might help here: pnpm/pnpm#9029

This is simple and quickest way to fix

[piotrstarzynski]

I tried all the suggestions but ran into another issue:

ERR_PNPM_NO_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is absent

Do you have like step by step what to do to fix it or should I wait for an update?

[namhnz]

I changed Dockerfile in apps/api/ like this, then build normally, don't delete pnpm-lock.yaml file. And no need to install or delete anything else.

pnpm/pnpm#9029 (comment)

[rothnic]

I submitted a pull request (#1131) that fixes this issue and fixes some other issues with the current repo in getting a self-hosted firecrawl "stack" running using portainer where I just point to the repo and modify env variables.

I didn't receive the lockfile issue, but I did encounter an issue with the docker entryfile trying to set ulimit, which isn't supported in my environment. I moved this to the docker compose run configuration.

[ftonato]

I submitted a pull request (#1131) that fixes this issue and fixes some other issues with the current repo in getting a self-hosted firecrawl "stack" running using portainer where I just point to the repo and modify env variables.

I didn't receive the lockfile issue, but I did encounter an issue with the docker entryfile trying to set ulimit, which isn't supported in my environment. I moved this to the docker compose run configuration.

Thank you for helping us with this problem. Thanks for your contributions 🎉