Composer Installer Hash Issue #124
Description
The Composer Installer SHA384 hash is hard coded in the Dockerfile as the variable "composer_hash". This hash is specific to a version file.
ENV composer_hash 55d6ead61b29c7bdee5cccfb50076874187bd9f21f65d8991d46ec5cc90518f447387fb9f76ebae1fbbacf329e583e30
Conversely, composer is downloaded from https://getcomposer.org/installer, which serves the latest version of the installer:
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \
php -r "if (hash_file('SHA384', 'composer-setup.php') === '${composer_hash}') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" && \
Currently, the "55d6ead61b29c7bdee5cccfb50076874187bd9f21f65d8991d46ec5cc90518f447387fb9f76ebae1fbbacf329e583e30" hash corresponds to version 1.3.2 of 2017-01-27, however, the latest version is 1.4.1, as of 2017-3-10. Thus, any builds made in the past 4 days would have failed.
There is a very specific warning on https://getcomposer.org/download/ against distributing the posted install code as was done in this Dockerfile:
WARNING: Please do not redistribute the install code. It will change with every version of the installer. Instead, please link to this page or check how to install Composer programmatically.
My suggestion would be to either:
A) make the hash dynamic itself, by grabbing it from here: https://composer.github.io/installer.sig (navigable from https://getcomposer.org/download/ -> "cross-check here" link, where it is linked). The instructions for this are described on the composer site: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
B) If security is a concern - part of the reason for checking the file hash is to see if a file has not been tempered with and the dynamic signature link can suffer from the same attack - the hash can remain hard coded, but the Composer Installer URL should be linked to a specific version.
As per the instructions page above, this can be accomplished by downloading a specific composer installer (different that composer.phar) from GitHub:
wget https://raw.githubusercontent.com/composer/getcomposer.org/a68fc08d2de42237ae80d77e8dd44488d268e13d/web/installer -O - -q | php -- --quiet
for version 1.4.1 and then continuing to check the file as before. The current hash published on the composer site (669656bab3166a7aff8a7506b8cb2d1c292f042046c5a994c43155c0be6190fa0355160742ab2e1c88d40d5be660b410) is ACTUALLY for the older 1.4.0 (https://raw.githubusercontent.com/composer/getcomposer.org/9b3c12dd41bd83b599d33e96d950db213657379a/web/installer), which only goes to further exemplify this problem.