File composer.phar from getcomposer.org is different than file composer.phar from repository #9746
Comments
|
Looks like 44dc3c2 implemented signing for the phars in github releases, but that the same was not applied for the website... |
|
hmm, no. That commit only adds the GPG signature, but it does not impact the phar. That's likely something else. |
|
Thanks for catching this @pmasior! The issue was that I started building phars for getcomposer.org using PHP8 which results in slightly different whitespace in the phar file due to token_get_all() behavior variations. I rebuilt the 2.0.9 / 10 / 11 phars with 7.4 to match github ones. Future versions will be built on PHP 8 on github as well. |
anomiex
added a commit
to Automattic/jetpack
that referenced
this issue
Mar 9, 2021
Composer rebuilt the package which changed the hash. See composer/composer#9746 (comment).
anomiex
added a commit
to Automattic/jetpack
that referenced
this issue
Mar 9, 2021
Composer rebuilt the package which changed the hash. See composer/composer#9746 (comment).
matticbot
pushed a commit
to Automattic/jetpack-autoloader
that referenced
this issue
Mar 9, 2021
Composer rebuilt the package which changed the hash. See composer/composer#9746 (comment). Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/636718413
|
Thanks for explaining and solving the problem |
|
This checksum change should probably be communicated on an official channel to make it clear that this is intended. I just encountered a hash mismatch in homebrew (see linked issue above), but this will probably impact other systems as well. |
|
Right, sorry about that. I guess I shouldn't have updated them in retrospect, but now it's done it's probably best to leave it rather than cause even more mess. |
Yeah, also there is no announce in the website https://getcomposer.org/download/ In my case I have just realized today about the mismatch, |
|
Just FYI, 2.0.12 was now released and I can confirm both my build and the automatic build on GH actions are exactly the same sha256 (82ea8c1537cfaceb7e56f6004c7ccdf99ddafce7237c07374d920e635730a631) so the fix looks good. |
davidacmoreira-cx
added a commit
to cxsca/cx-composer-cli
that referenced
this issue
May 14, 2021
* Include stdout as well as stderr if git stash/diff/.. fails, fixes composer#9720 * Remove version argument from why and enforce it for why-not command, refs composer#9693 * Fix compiler on Windows (composer#9730) * Preserve file permissions on Windows self-update (composer#9733) Windows file operations result in different file permissions depending if the file is copied or moved. A copy operation applies permissions from the destination folder (or file if it already exists and does not use inheritance), while a move operation generally preserves the source file permissions. Windows PHP `rename` uses MoveFileEx so if the user is running as an admin and the destination is in a common (non-user) location, then the permission for other users will be replaced by the admin user. Likewise for the UAC elevation feature, which uses the cmd.exe `move` command. This fix uses copy and delete operations on Windows, so that other users can continue to run composer.phar * Proxy handling docs and tweaks (composer#9735) * Fix functional tests to use the same PHP version as PHPUnit runs with * Add support for @php <abs path to binary from PATH>, fixes composer#9726 * Fix issue extracting archives into paths that already exist, fixes composer/installers#479 * Avoid using str_replace for dev-master replacement as that may be a valid part of a branch name, fixes composer#9739 * Fix php-proxying of binaries to avoid proxying phar files, fixes composer#9742 * Make sure that single files installed via file downloader get the executable bit set if they are a binary file, refs composer#9742 * Fix var shadowing * Fix unclear error when a package can be found in lock but not in the remote repo, fixes composer#9750 * Update release step to use php8 as it produces slightly different output wrt white-space, fixes composer#9746 * Bump phpstan to level 3 (composer#9734) Clean up PackageInterface/CompletePackageInterface, add missing methods, type things in solver as BasePackage, added CompleteAliasPackage, .. * Update GitHub token pattern GitHub is updating the format of auth tokens from `a-z0-9` to `A-Za-z0-9` ([notice](https://github.blog/changelog/2021-03-04-authentication-token-format-updates/)). I'm not sure why `.` is allowed, but I dare not to remove it. In this PR, the token validation regex is updated to allow `A-Za-z0-9` instead of the current all lower-case `a-z` and disallowed `_`. * Document GH token usage and also make sure we redact them in Process debug output, refs composer#9757 * Remove output "summary" from fund command. Fund does not provide this type of format. (composer#9748) * Clarify behavior of name in VCS repo, closes composer#9752 * Add --format json to search command (composer#9747) Co-authored-by: Jordi Boggiano <j.boggiano@seld.be> * Attempt working around Vagrant filesystem issues, added COMPOSER_RUNTIME_ENV env var (set to vagrant), fixes composer#9627 * Prefer @phpstan- annotations as that is what we run against * Fix phpdoc * Make full functional test output more reliable * Create pull_request_template.md * Only call sapi_windows_set_ctrl_handler() for CLI requests (composer#9771) * MaxFileSizeException should reject download job (composer#9778) * Also attempt working around Vagrant filesystem issues when installing plugins initially, refs composer#9627 * Add source package name to debug info when enabling plugins * Add dev mode env var for scripts run (composer#9793) Co-authored-by: Vitali Tsyrkin <vitalit@playtika.com> * Update github token pattern to match their latest updates * Update changelog * Tweak virtualbox detection and improve it by detecting vbox additions, refs composer#9627 * Update changelog * Fixed detection of hg version when localized, fixes composer#9753 * Fix type warning on php8.1, refs composer#9770 * Support --no-dev combined with --locked in outdated/show commands, fixes composer#9788 * Improve InstalledVersions docs slightly * Fix doctype annotations * Change root.dev-requirement to root.dev in installed.php as the root is not required per se, and this simply tracks the dev mode at install time * Fix tests * Make ComposerRepository::configurePackageTransportOptions() protected. (composer#9818) * Fix doctype annotations * Switch to composer/metadata-minifier, fixes composer#9727 * Add new dep to the tests * Change default preferred-install to dist, add --prefer-install=auto|dist|source to allow specifying auto (composer#9603) Fixes composer#9546 Fixes composer#9674 * Add warning when loading plugins of type composer-installer as they are unlikely to function correctly and should be upgraded to the composer-plugin type * Fix output listing some updates that do not really happen when updating mirrors/--lock, fixes composer#9812 * Make sure update mirrors/--lock keeps the release date of the original reference when dev versions have newer commits, refs composer#9812 * Fire POST_FILE_DOWNLOAD event for metadata fetched by ComposerRepository. * Clean stuff up and deprecate old usages for PostFileDownloadEvent * Add repository instance to Pre/PostFileDownloadEvent metadata * Added link to composer.org docs on ProcessTimedOutException (composer#9796) * ComposerRepository::asyncFetchFile() does not pass the downloaded URL to PostFileDownloadEvent (composer#9827) * Update 00-intro.md * Upgrade to xdebug-handler 2 (composer#9832) This adds support for Xdebug3 modes and changes the default behaviour from always restarting if Xdebug is loaded, to only restarting if Xdebug is active. Xdebug is considered active if it is loaded, and for Xdebug3, if it is running in a mode other than `xdebug.mode=off`. * Fix source links, fixes composer#9836 * Allow PreFileDownloadEvent to carry transport options for metadata (composer#9831) * Use jsonc highlighting * "composer init --autoload" - Interactive generates PSR-4 autoloader in composer.json (composer#9829) - Generates PSR-4 autoload entry in composer.json. - Run dump-autoload, if no dependencies are set * Fix install step at the end of init command * Fix install step at the end of init command * Merge pull request from GHSA-h5h8-pc6h-jvvx * Fix external process calls to avoid user input being able to pass extra parameters * Tweak some fixes * Merge pull request from GHSA-h5h8-pc6h-jvvx * Fix external process calls to avoid user input being able to pass extra parameters * Tweak some fixes * Update changelog * Update changelog * Add basic source/dist validation * Allow ints in source/dist reference * Also make sure type is correct for preg_match * BinaryInstaller: install full binaries on WSL when bin-compat=auto (composer#9855) * Hint at a branch rename if we detect dev-master can not be found but dev-main or dev-default exists, fixes composer#9850 * Also condense dev-* versions if there are many, refs composer#9850 * Introduce a cross-platform safe version of is_readable to support UNC / wsl$ paths on Windows (composer#9861) * Fix handling of inline-update-constraints with refs or stability flags, fixes composer#9847 * Link to GitLab documentation for auth (composer#9833) Co-authored-by: Jordi Boggiano <j.boggiano@seld.be> * Avoid leaving the event stack in a dirty state if an event listener throws, fixes composer#9846 * Fix invalid interface usage * Fix type issues with root package interface * Also handle throwable on supported php versions * Fix EOL of text files (composer#9877) * Fix update fork changes * Add skipping svn downloader * Revert skipping in svn downloader Co-authored-by: Jordi Boggiano <j.boggiano@seld.be> Co-authored-by: Nils Adermann <naderman@naderman.de> Co-authored-by: John Stevenson <john-stevenson@blueyonder.co.uk> Co-authored-by: Ayesh Karunaratne <ayesh@aye.sh> Co-authored-by: ochorocho <jochen.roth@b13.com> Co-authored-by: Brandon Kelly <brandon@pixelandtonic.com> Co-authored-by: Stephan <glaubinix@users.noreply.github.com> Co-authored-by: vitman <vitalyhome@tut.by> Co-authored-by: Vitali Tsyrkin <vitalit@playtika.com> Co-authored-by: Adam <adam@phenaproxima.net> Co-authored-by: Markus Staab <markus.staab@redaxo.de> Co-authored-by: Antoine Makdessi <amakdessi@me.com> Co-authored-by: Andreas Scheibel <contact@camya.com> Co-authored-by: Markus Staab <47448731+clxmstaab@users.noreply.github.com> Co-authored-by: timrizzi <tim.rizzi@gmail.com> Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I downloaded file composer.phar from official website and from Releases in Composer GitHub repository, but these files are different.
I checked earlier versions. From version 2.0.0 to 2.0.8 corresponding versions of composer.phar from the website and GitHub repository are the same. From version 2.0.9 to version 2.0.11, corresponding versions downloaded from the website and GitHub repository are different. Is it expected? Below I paste sha256sums.
Files downloaded from repository (version 2.0.4 and later) are signed with key
161D FBE3 4288 9F01 DDAC 4E61 CBB3 D576 F2A0 946F. I didn't found any actual information about signature files on the official website.If my ticket is unfounded, I sorry about that.
The text was updated successfully, but these errors were encountered: