Reputation: 973
PHP composer download signature validation
I need to get PHP composer installed, but I'm not prepared to curl | php, and I want to validate the downloaded packages against a signature or checksum.
The download links on the site are the way I want to go. The devs have also published their public keys on the site. And there are package signatures available at ${download}.sig (found them by just looking for them), however I can't figure out how to verify with these signatures.
For example these are the current latest PHAR and sig files:
- https://getcomposer.org/download/1.0.0-beta1/composer.phar
- https://getcomposer.org/download/1.0.0-beta1/composer.phar.sig
The sig file contains:
{"sha384":"FGC1jaYN4TCnaaeha3aeHx1W8gn/GyBaNk09TEOxLXjhWdwFb7psJBtZgXEsrq1Sm0J91j3l2AZDWofQ1s1FHD6A4cZY5H2KQ7KleqIFmDWDVyASHc6tjvaPtlQJ4BCVJEOPsRHX2NTH1roCs48t7S+MbVj5j5K8oVggEw9IOG4uurABUiadOLj/gQ3UpXz1+oflkr358qCkQuUW2upMuHDto8BNLSDYrCLgct1i8aCTCgKo6BYMBGSZxQdGY/dDyRX6rHbR1/CzfJmECgA9qGgeXxDRyjFg/93wsQfuFPCijd6vTpRmsFKYpwfQXMult8t+0mPh4PcvX1GzKtYcLxmsA2MmyPVfX80KtGp2EF5ExRAxOqZtd3ZtwqqOxUeNUfESKrXif1v0PxVGlER4KX5MBvCH9UvwwUPOzyplJ8N+4ybtNGfHiOD3MpPsiVBVoWkQouI5qbHRT39kAGKfMQBDWounrwMGGQV2Ca2/bFMcnInYkXFyLD12yekluoktpBcyFyZcHOJXXbbMGeXLZn3cepBwneUPklB4Q6zkouIdCkZZIzyOkLp4XgCP55idmD+DNmeoaGNlqDJmN+2wTWQv5GBj9DEEXBFHZ5f4hfn6ZEYWO7GlgOz0YeijuknvtvdCR+Iqr3Vn72UKhtoBQd2L74YwzCG/4CBYhGtknMc"}
The body of this signature seems to be base64 encoded, but decoded it's too long to be an sha384 checksum. It also doesn't appear to be a GPG signature.
How can I validate the package?
Upvotes: 2
Views: 4130
Answers (1)
Reputation: 41954
The sign script can be found on github and contains the following code:
openssl_sign(file_get_contents($_SERVER['argv'][1]), $sha384sig, $pkeyid, OPENSSL_ALGO_SHA384)
// ...
$sha384sig = trim(base64_encode($sha384sig), '=');
So the signature is indeed a base64 encoded sha384 checksum.
Please note that the installer used to download the composer phar does also check the signature. It's code can also be found on GitHub:
$signature = $httpClient->get($url.'.sig');
if (!$signature) {
out('Download failed: '.$errorHandler->message, 'error');
} else {
$signature = json_decode($signature, true);
$signature = base64_decode($signature['sha384']);
}
// ...
if (false === $disableTls) {
$pubkeyid = openssl_pkey_get_public('file://'.$home.'/' . ($version ? 'keys.tags.pub' : 'keys.dev.pub'));
$algo = defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'SHA384';
if (!in_array('SHA384', openssl_get_md_methods())) {
out('SHA384 is not supported by your openssl extension, could not verify the phar file integrity', 'error');
exit(1);
}
$verified = 1 === openssl_verify(file_get_contents($file), $signature, $pubkeyid, $algo);
openssl_free_key($pubkeyid);
if (!$verified) {
out('Signature mismatch, could not verify the phar file integrity', 'error');
exit(1);
}
}
Upvotes: 3
Related Questions
- How can I remove a package from Laravel using PHP Composer?
- Composer - The requested package exists as but these are rejected by your constraint
- Composer require runs out of memory. PHP Fatal error: Allowed memory size of 1610612736 bytes exhausted
- How to install a specific version of package using Composer?
- How install composer?
- How to update a single library with Composer?
- Installed composer on new VM but it will not run
- Can't install extension through composer