See this issue for more information : composer/composer#38
THIS IS A PROOF OF CONCEPT. If the test does work, this could become a composer plugin.
Prerequesites : You must install the gnupg extension on php. See the php manual about gnupg installation, the php manual about installing PECL extensions. On Ubuntu, I had to install the package libgpgme11-dev
(some depedencies were also installed) and then run sudo pecl install gnupg
. I had to register the extension using sudo su -c 'echo "extension=gnupg.so" >> /etc/php5/mods-available/gnupg.ini' root
and then enable it with sudo php5enmod gnupg
.
Clone this gist using
git@gist.github.com:e380f19a1e31b737418c.git composer-signature-poc
- cd into your package directory (the directory where you will find the
composer.json
file) - execute the sign script (here,
ABCDEF123
is the key's fingerprint):
php /path/to/your/composer-signature-poc/sign.php ABCDEF123
This will scan all files, calculate a sha1sum for each file, dump a json representation's string of the sha1, sign the string and dump it into composer.sha1.json
file.
- grep the key from a keyserver :
gpg2 --recv-keys ABCDEF123
whereABCDEF123
is the key fingerprint - cd into your package directory (the directory where you will find the
composer.json
file) - execute the verify script:
php /path/to/your/composer-signature-poc/verify.php <the signing key fingerprint>
This will output the verification and, eventually, a success/failure message.
Currently, I have signed one of our package: chill-project/main
.
Please, download it and check the signature.
The package is signed by the key 52577F34
.
So...
- Check that you have installed gnupg pecl extension for php. Instructions for Ubuntu/Debian :
sudo apt-get install libgpgme11-dev
,sudo pecl install gnupg
,sudo su -c 'echo "extension=gnupg.so" >> /etc/php5/mods-available/gnupg.ini' root
,sudo php5enmod gnupg
(those instructions weren't tested on multiple machine. If you experience a different way, please let me know at julien [AT ] champs-libres [DOT] coop) git clone git@github.com:Chill-project/main --branch signature_poc --single-branch chill-main
git clone git@gist.github.com:e380f19a1e31b737418c.git composer-signature-poc
cd chill-main
gpg2 --recv-keys 52577F34
php ./../composer-signature-poc/verify.php 52577F34
+1 Aside, in a full implementation, rather than black listing paths we maybe should require the paths on which to base signature (maybe could be specified in or deduced from
composer.json
).