-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support checksum (sha256) verification in dist fields (for downloaded data) #5940
Comments
This is not really feasible. The majority of downloads are automatically fetched from github's dist API. Users have no way of knowing up front what exactly the hash will be, nor does Packagist actually download any of the dist files, so it cannot add this metadata either. |
I see, it's feasible only in some cases (such as phpmyadmin.net/packages.json) but not for most downloads triggered by composer (as it's download dynamic files [can have different content X minutes later])
The files.phpmyadmin.net domain (which the static files are served from) point to CDN (thus it's better to validate the downloads) as they can be malformed (for example: as happened long time ago in hacked mirror of sourceforge) |
The checksum feature is already supported for dist archives (but it uses sha1, not sha256). Simply add the |
Thanks, it's better then no verification :) |
AFAICT, it is not documented. The doc for the repository schema is a bit incomplete currently. |
Well then there is 2 issues remain:
|
Huh. Does the checksum feature work for anyone?
...and the package happily installs. Why? Shouldnt the given checksum ("idontcare") be compared to the sha1 of the downloaded tar.gz? |
composer/src/Composer/Downloader/FileDownloader.php Lines 137 to 184 in 0f373e3
Are you sure your "package.json" is actually read? Did you run your composer install or update command in |
@alcohol Thanks for your answer. Yes, it is read. I checked with -vvv. It seems as if it doesnt have any effect what I write as value. |
Can you share your verbose output with us? |
is |
Yes, this is the package I try to (re-)download. I delete it from the folder (modules/autocron). Run the command. It downloads and installs again. I wonder why. I've added the "idontcare" checksum to all packages in packages.json. |
|
Ah, okay. Solved it now. Thanks @alcohol for bringing me on the right track. I've unpacked the PHAR archive of composer to debug everything and followed the files. I finally found out that the key is not called "checksum" but "shasum". Hooray. Progress. +1 for better docs, though ;-) |
Ah, yeah, it is actually documented also: composer/res/composer-schema.json Line 826 in 8eae151
But since it is most often used only internally, I kind of forgot about it. |
Should composer install/update warn on invalid schema? Wasting time because of invalid files and missing to call composer validate is a pity |
Never mind, it is |
Nix community really needs this |
Well, as long as Github and Gitlab don't ensure that their commit zip archives have a stable checksum, there is nothing composer can do about it (as packagist.org references their archives and Github and Gitlab are representing the vast majority of packages registered on packagist.org, probably over 95%). |
Can't composer pull in the zip into |
As far as i can tell, the suggested resolve for this issue is written in #2540 . |
While it will not provide the security offered by signing verification:
#4022
it easier to implement and does help against malformed target resource (server/mirror/CDN hacked / MITM on connection / etc...) when assuming composer.json content authentic.
suggestion:
add sha256 field that will verify the downloaded data.
for example in:
https://www.phpmyadmin.net/packages.json
all the dist fields except dev-master can contain sha256 field that contain checksum as they point to static files.
The text was updated successfully, but these errors were encountered: