Incorrect SHA-384 on installation page

Question

Incorrect SHA-384 on installation page

fabswt opened this issue 4 years ago · comments

The download page currently lists this code:

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'c5b9b6d368201a9db6f74e2611495f369991b72d9c8cbd3ffbc63edff210eb73d46ffbfce88669ad33695ef77dc76976') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"

Mind the hash value.

However, install then fails with:

Installer corrupt
…
Could not open input file: composer-setup.php

The pubkeys page lists a different, correct, SHA-384 checksum:

e0012edf3e80b6978849f5eff0d4b4e4c79ff1609dd1e613307e16318854d24ae64f26d17af3ef0bf7cfb710ca74755a

Indeed, with this checksum, the installation does work.

P.S.: for anyone wanting to check the value manually themselves…

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
shasum -a 384 composer-setup.php

Jordi Boggiano · Answer 1 · Thu Feb 13 2020 01:32:41 GMT+0800 (China Standard Time)

Ah crap sorry forgot the last deploy step.. leaving this open until I figure out how to prevent this in the future. But the immediate problem is fixed.

MID904 · Answer 2 · Sat Jan 02 2021 03:23:58 GMT+0800 (China Standard Time)

Hi guys, I think the code on the web page is wrong again. The installer has this checksum ae780b40779de28dd3262fe1c98c300d1205bab809ef91d3d49756ad24917c2529b1250814e46414445c8e27c7327917. The page shows this 756890a4488ce9024fc62c56153228907f1545c228516cbf63f885e036d37e9a59d27d63f46af1d4d07ee0f76181c7d3.