Install composer regardless of installer signatures

ridi · Feb 11, 2019 · aedc570 · aedc570
1 parent 1ff904c
commit aedc570
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -9,6 +9,7 @@ ENV LC_ALL=C.UTF-8
 
 RUN apt-get update --fix-missing && apt-get install --no-install-recommends -y \
     software-properties-common \
+    wget \
     php7.2 \
     php7.2-cli \
     php7.2-curl \
@@ -30,14 +31,11 @@ RUN a2enconf override
 COPY config/apache/ridi-pay.conf /etc/apache2/sites-available/ridi-pay.conf
 RUN a2ensite ridi-pay
 
+COPY . /app
+
 # Install composer
-RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \
-    php -r "if (hash_file('SHA384', 'composer-setup.php') === '48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" && \
-    php composer-setup.php && \
-    php -r "unlink('composer-setup.php');" && \
-    mv composer.phar /usr/local/bin/composer
+RUN sh /app/bin/composer_installation.sh && mv composer.phar /usr/local/bin/composer
 
-COPY . /app
 RUN mkdir -p /app/var && chmod -R 777 /app/var
 
 WORKDIR /app

diff --git a/bin/composer_installation.sh b/bin/composer_installation.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+# Please refer to https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
+
+EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_SIGNATURE="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+
+if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]
+then
+>&2 echo 'ERROR: Invalid installer signature'
+  rm composer-setup.php
+  exit 1
+fi
+
+php composer-setup.php --quiet
+RESULT=$?
+rm composer-setup.php
+exit $RESULT