Integrate with PhiVE for installing Composer

[jk]

As @shochdoerfer pointed out in the this comment it's probably a good idea to support PhiVE as an additional way to securely install Composer.

From their website:

Github releases
To distribute phars via Github in a PHIVE compliant way, it needs to be made available as an attachment to a release - alongside with a valid gpg signature. For PHIVE to pick it up, the filenames need to end on ".phar" and ".phar.asc" respectively.

PHIVE supports github's releases feature for repositories as of version 0.3.0.

And since we already have Github releases for composer it should not be too much work to claim an PhiVE alias.

[alcohol]

As PHIVE is still in alpha, I think it is a bit premature to start looking into this. :-)

[curry684]

As PHIVE is still in alpha

Composer left alpha a month ago 😉

[barryvdh]

There are also other alternatives, like https://github.com/ellotheth/pipethis

And since we already have Github releases for composer it should not be too much work to claim an PhiVE alias.

Composer doesn't actually use the release feature I think, only the tags. But the tags contain the source, not the phar binary. It probably would make sense to attach binaries to the releases, perhaps that can be used to distribute the phars?
You could use the API to upload binaries (+ the signature) to the release tags: https://developer.github.com/v3/repos/releases/#upload-a-release-asset

(And maybe Github will extend GPG support for release binaries some day, so it becomes some kind of standard and the signature can be viewed online like in https://github.com/blog/2144-gpg-signature-verification)

[Seldaek]

Maybe some day but right now I just invested a lot of time in making sure we don't blindly pipe into php and that we have signatures and that all that works without the hassle of GPG, so my motivation to deal with this isn't at the highest I have to admit :)

[bamarni]

I don't think Phive can easily be used on Windows / Mac : https://github.com/phar-io/phive/blob/1ff73fbbf6bc53224a320583ef018e4a6c66dae8/src/shared/config/Config.php#L59

The tool mentioned by @barryvdh relies on a go library. It can probably work without this hard requirement for other OS than Linux, I've opened a ticket to ask (ellotheth/pipethis#11).

[kaystrobach]

well i just wanted to open a ticket to request an option in composer to install just phars instead of sources files via composer (similar to phive) but into 'vendor/bin` this would allow to ship binaries of phpmd or similar stuff, without having the classes in the autoloader 😄

[amenk]

It is not necessary to use the GitHub release process. "just" GPG .asc signatures have to be made available. Are they maybe already? Would it be possible?

[alcohol]

@Seldaek how do you feel about doing this? Signing the phars it not a lot of additional work. But someone has to do it. Probably would be wise to use a dedicated Composer GPG key, not a personal one (or not, I don't know what is preferable here?).

[Seldaek]

I am already signing the phars, just not using GPG. So I guess I could add one more signature to the release process and push that out to the github release. Don't really wanna have travis do that part. I'll investigate.

[Seldaek]

Fixed by 44dc3c2 - as of https://github.com/composer/composer/releases/tag/2.0.3 releases will be signed. I just tried to install it via phive and it works now without --force-accept-unsigned 👍