DEV Community

Czar Pino
Czar Pino

Posted on


Installing Composer Programmatically

I have found it quite concerning that people usually setup up a programmatic Composer installation incorrectly. I feel since Composer's download page describes the download process using a script, people take it as the programmatic way of installing. This is, of course, an incorrect assumption which can be inferred from the hard coded installer SHA used in the sample script.

After recently dealing with build failures caused by an outdated installer hash, I wanted to address this issue correctly instead of simply kicking it down the road.

Updating the installer hash

Before talking about the proper solution, I want to highlight the improper but quick solution: updating the installer hash. If you urgently need to get something done and want to address the installer issue separately, it is helpful in the short term to simply update the installer SHA hash.

# Replace "93b54496392c062774670ac18b134c3b3a95e5a5e5c8f1a9f115f203b75bf9a129d5daa8ba6a13e2cc8a1da0806388a8"
php -r "copy('', 'composer-setup.php');"
php -r "if (hash_file('SHA384', 'composer-setup.php') === '93b54496392c062774670ac18b134c3b3a95e5a5e5c8f1a9f115f203b75bf9a129d5daa8ba6a13e2cc8a1da0806388a8') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"

If you visit Composer's download page, you will quickly see the latest hash in the sample script. Alternatively, you can also check via the command line:

# via wget
wget -q -O -

# or via cURL

Programmatic installation

The proper way to programmatically install Composer is to not rely on a hard coded hash. Looking a little closer, Composer download documentation actually links to the programmatic way of installing.


php -r "copy('', 'composer-setup.php');"
ACTUAL_SIGNATURE="$(php -r "echo hash_file('SHA384', 'composer-setup.php');")"

    >&2 echo 'ERROR: Invalid installer signature'
    rm composer-setup.php
    exit 1

php composer-setup.php --quiet
rm composer-setup.php
exit $RESULT

This script downloads the installer, verifies the hashes, then installs Composer. It checks the installer SHA against the latest hash obtained from whose value is automatically updated when a new release is made. This way, no hard coded hash is used within the script and you automatically get the latest version of Composer.

You have now future proofed programmatic Composer installation!

Originally published at

Top comments (0)