Merge pull request #26864 from owncloud/get-secure-composer

Get composer using more secure method

Makefile

@@ -75,7 +75,7 @@ clean: clean-composer-deps clean-nodejs-deps clean-js-deps clean-test-results cl
 # Basic required tools
 #
 $(COMPOSER_BIN):
-	cd build && curl -sS https://getcomposer.org/installer | php
+	cd build && ./getcomposer.sh
 
 #
 # ownCloud core PHP dependencies

build/getcomposer.sh

+#!/bin/sh
+
+# From https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
+
+EXPECTED_SIGNATURE=$(wget -q -O - https://composer.github.io/installer.sig)
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', 'composer-setup.php');")
+
+if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]
+then
+    >&2 echo 'ERROR: downloaded composer installer hash does not equal the expected one.'
+    rm composer-setup.php
+    exit 1
+fi
+
+php composer-setup.php --quiet
+RESULT=$?
+rm composer-setup.php
+exit $RESULT