Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate with PhiVE for installing Composer #5155

Closed
jk opened this issue Apr 6, 2016 · 10 comments
Closed

Integrate with PhiVE for installing Composer #5155

jk opened this issue Apr 6, 2016 · 10 comments
Labels
Milestone

Comments

@jk
Copy link

jk commented Apr 6, 2016

As @shochdoerfer pointed out in the this comment it's probably a good idea to support PhiVE as an additional way to securely install Composer.

From their website:

Github releases
To distribute phars via Github in a PHIVE compliant way, it needs to be made available as an attachment to a release - alongside with a valid gpg signature. For PHIVE to pick it up, the filenames need to end on ".phar" and ".phar.asc" respectively.

PHIVE supports github's releases feature for repositories as of version 0.3.0.

And since we already have Github releases for composer it should not be too much work to claim an PhiVE alias.

@alcohol
Copy link
Member

alcohol commented Apr 6, 2016

As PHIVE is still in alpha, I think it is a bit premature to start looking into this. :-)

@alcohol alcohol added the Feature label Apr 6, 2016
@curry684
Copy link
Contributor

curry684 commented Apr 6, 2016

As PHIVE is still in alpha

Composer left alpha a month ago 😉

@barryvdh
Copy link
Contributor

barryvdh commented Apr 7, 2016

There are also other alternatives, like https://github.com/ellotheth/pipethis

And since we already have Github releases for composer it should not be too much work to claim an PhiVE alias.

Composer doesn't actually use the release feature I think, only the tags. But the tags contain the source, not the phar binary. It probably would make sense to attach binaries to the releases, perhaps that can be used to distribute the phars?
You could use the API to upload binaries (+ the signature) to the release tags: https://developer.github.com/v3/repos/releases/#upload-a-release-asset

(And maybe Github will extend GPG support for release binaries some day, so it becomes some kind of standard and the signature can be viewed online like in https://github.com/blog/2144-gpg-signature-verification)

@Seldaek
Copy link
Member

Seldaek commented Apr 11, 2016

Maybe some day but right now I just invested a lot of time in making sure we don't blindly pipe into php and that we have signatures and that all that works without the hassle of GPG, so my motivation to deal with this isn't at the highest I have to admit :)

@Seldaek Seldaek added this to the Nice To Have milestone Apr 11, 2016
@bamarni
Copy link
Contributor

bamarni commented Jun 3, 2016

I don't think Phive can easily be used on Windows / Mac : https://github.com/phar-io/phive/blob/1ff73fbbf6bc53224a320583ef018e4a6c66dae8/src/shared/config/Config.php#L59

The tool mentioned by @barryvdh relies on a go library. It can probably work without this hard requirement for other OS than Linux, I've opened a ticket to ask (ellotheth/pipethis#11).

@kaystrobach
Copy link

well i just wanted to open a ticket to request an option in composer to install just phars instead of sources files via composer (similar to phive) but into 'vendor/bin` this would allow to ship binaries of phpmd or similar stuff, without having the classes in the autoloader 😄

@amenk
Copy link

amenk commented Jan 6, 2018

It is not necessary to use the GitHub release process. "just" GPG .asc signatures have to be made available. Are they maybe already? Would it be possible?

@alcohol
Copy link
Member

alcohol commented Jan 9, 2018

@Seldaek how do you feel about doing this? Signing the phars it not a lot of additional work. But someone has to do it. Probably would be wise to use a dedicated Composer GPG key, not a personal one (or not, I don't know what is preferable here?).

@Seldaek
Copy link
Member

Seldaek commented Jan 9, 2018

I am already signing the phars, just not using GPG. So I guess I could add one more signature to the release process and push that out to the github release. Don't really wanna have travis do that part. I'll investigate.

@Seldaek Seldaek modified the milestones: Nice To Have, 2.0 Oct 27, 2020
@Seldaek
Copy link
Member

Seldaek commented Oct 28, 2020

Fixed by 44dc3c2 - as of https://github.com/composer/composer/releases/tag/2.0.3 releases will be signed. I just tried to install it via phive and it works now without --force-accept-unsigned 👍

@Seldaek Seldaek closed this as completed Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

8 participants