Install composer system wide

10/06/2019 - Ted

Download "signed" installer for PHP Composer.

Signature is in quotes because this really doesn't prove or provide any kind of signature or authentication - it's just a SHA384 hash of the installer executable. The only possible security is that the installer and signature are available via different web servers, but this isn't enforced. A real signature would be better. Every commit is signed which makes the situation even more confusing.

All the solutions to this I have seen online have been mixed bash/php calls. This is just PHP to make it simpler.
As root:

php << 'EOF'
<?php
/**
 * Download installer & "signature"; check hash matches and provide guide to install.
 */
 
$sig = 'https://composer.github.io/installer.sig';
$prg = 'https://getcomposer.org/installer';
 
// Download "signature".
$expected_hash = @file_get_contents($sig);
if ($expected_hash === FALSE) {
  die("Unable to download hash of installer.\n" . $http_response_header[0] . "\n");
}
$expected_hash = trim($expected_hash);
 
// Download installer program.
$installer = @file_get_contents($prg);
if ($installer === FALSE) {
  die("Unable to download the installer program.\n" . $http_response_header[0] ."\n");
}
 
// Generate hash of installer. Compare expected vs actual. Write out if matches.
$actual_hash = hash('SHA384', $installer);
if ($expected_hash != $actual_hash) {
  printf("Expect: %s\n", $expected_hash);
  printf("Actual: %s\n", $actual_hash);
  die("Hash of installer does not match expected.\n");
}
file_put_contents('composer-installer.php', $installer);
 
// Output cmd user should run after checking out parameters. We don't auto-run
// as that doesn't allow user to be able to adjust things.
printf("php composer-installer.php --filename=composer --install-dir=\"/usr/local/bin\"\n");
printf("rm composer-installer.php\n");
 
EOF

NB: Never run composer as root user again. Except when installing composer system-wide packages.

NB: After install, you should be installing prestissimo with composer global require hirak/prestissimo using the method above!

Tags: