Upload release signatures to the downloads page
1ma opened this issue · comments
Starting from the 2.0.3 release the project started including a composer.phar.asc
file on the release assets that can be used to verify the authenticity of the binary with GPG.
However the releases webpage (https://getcomposer.org/download/) still only lists the sha256 checksums. In particular it'd be great to be able to fetch the latest signature file through this URL: https://getcomposer.org/download/latest-stable/composer.phar.asc
I hope the solution works for you. It does a redirect to github because getting the signatures directly on getcomposer.org would actually lower security here, and be a pain to implement.
Much appreciated, Jordi.
Looking at the code I think it does, but https://getcomposer.org/download/ is throwing an HTTP 500 error now.
Oh a nasty deployment process bug. Fixed now