Hello,

I'm searching for a way to validate the authenticity of the composer installer. I did find a page referencing public keys for snapshots and tags but I did not manage to find a real signature file related to either composer-install.php nor composer.phar.

Unfortunately https://composer.github.io/installer.sig does not contain a signature but only a hash value of composer-install.php.

Maybe this is something I missed?

There are no signatures no only the checksum.