Starting from the 2.0.3 release the project started including a composer.phar.asc file on the release assets that can be used to verify the authenticity of the binary with GPG.

However the releases webpage (https://getcomposer.org/download/) still only lists the sha256 checksums. In particular it'd be great to be able to fetch the latest signature file through this URL: https://getcomposer.org/download/latest-stable/composer.phar.asc

I hope the solution works for you. It does a redirect to github because getting the signatures directly on getcomposer.org would actually lower security here, and be a pain to implement.

Much appreciated, Jordi.

Looking at the code I think it does, but https://getcomposer.org/download/ is throwing an HTTP 500 error now.

Oh a nasty deployment process bug. Fixed now