public-mirrors/composer
1
0
Fork 0
mirror of https://github.com/composer/composer synced 2025-05-09 00:22:53 +00:00
Code Activity
composer/doc/faqs/how-to-install-composer-programmatically.md
Matthew Turland 4deec0359f
Update installer script URL to include openssl_free_key() deprecation fix 
If the installer script linked from [this page]([https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md](https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md)) is run using PHP 8, it generates the following deprecation notice.

```
Deprecated: Function openssl_free_key() is deprecated since 8.0, as OpenSSLAsymmetricKey objects are freed automatically in Standard input code on line 982
```

This issue was [fixed in the installer script]([composer/getcomposer.org#159](https://github.com/composer/getcomposer.org/pull/159)), but the documentation was not updated to link to the version of it that includes the fix.
2025-01-10 13:40:00 +01:00

1.4 KiB
Raw Blame History

How do I install Composer programmatically?

As noted on the download page, the installer script contains a checksum which changes when the installer code changes and as such it should not be relied upon in the long term.

An alternative is to use this script which only works with UNIX utilities:

#!/bin/sh

EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"

if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
    >&2 echo 'ERROR: Invalid installer checksum'
    rm composer-setup.php
    exit 1
fi

php composer-setup.php --quiet
RESULT=$?
rm composer-setup.php
exit $RESULT

The script will exit with 1 in case of failure, or 0 on success, and is quiet if no error occurs.

Alternatively, if you want to rely on an exact copy of the installer, you can fetch a specific version from GitHub's history. The commit hash should be enough to give it uniqueness and authenticity as long as you can trust the GitHub servers. For example:

wget https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer -O - -q | php -- --quiet

You may replace the commit hash by whatever the last commit hash is on https://github.com/composer/getcomposer.org/commits/main