added composer installer signature check according to official docs: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md

2018-03-10 10:53:21 +01:00 · 2018-03-10 10:53:21 +01:00 · 91598d8863
parent be1716a0e1
commit 91598d8863
1 changed files with 9 additions and 1 deletions
--- a/10
+++ b/10
@ -47,7 +47,15 @@ RUN apt-get update \
    && docker-php-ext-install -j4 $PHP_EXTENSIONS $PECL_PASSBOLT_EXTENSIONS \
    && docker-php-ext-enable $PHP_EXTENSIONS $PECL_PASSBOLT_EXTENSIONS \
    && docker-php-source delete \
-    && curl -sS https://getcomposer.org/installer | php \
+    && EXPECTED_SIGNATURE=$(curl -s https://composer.github.io/installer.sig) \
+    && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
+    && ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', 'composer-setup.php');") \
+    && if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]; then \
+         >&2 echo 'ERROR: Invalid installer signature'; \
+         rm composer-setup.php; \
+         exit 1; \
+       fi \
+    && php composer-setup.php \
    && mv composer.phar /usr/local/bin/composer \
    && curl -sSL $PASSBOLT_URL | tar zxf - -C . --strip-components 1 \
    && composer install -n --no-dev --optimize-autoloader \