Sākums Izpētīt Palīdzība
Pierakstīties
joker
/
composer
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

Bundle pubkeys and fail hard if validation can not happen

Jordi Boggiano 9 gadi atpakaļ
vecāks
59975e3aaa
revīzija
5b41eaad3a
1 mainītis faili ar 46 papildinājumiem un 22 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 46 22
      src/Composer/Command/SelfUpdateCommand.php

+ 46 - 22
src/Composer/Command/SelfUpdateCommand.php
Parādīt failu 

@@ -144,29 +144,53 @@ EOT
 
 
             $sigFile = 'file://'.$home.'/' . ($updatingToTag ? 'keys.tags.pub' : 'keys.dev.pub');
 
             if (!file_exists($sigFile)) {
 
-                $io->write('<warning>You are missing the public keys used to verify Composer phar file signatures</warning>');
 
-                if (!$io->isInteractive() || getenv('CI') || getenv('CONTINUOUS_INTEGRATION')) {
 
-                    $io->write('<warning>As this process is not interactive or you run on CI, it is allowed to run for now, but you should run "composer self-update --update-keys" to get them set up.</warning>');
 
-                } else {
 
-                    $this->fetchKeys($io, $config);
 
-                }
 
+                file_put_contents($home.'/keys.dev.pub', <<<DEVPUBKEY
 
+-----BEGIN PUBLIC KEY-----
 
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnBDHjZS6e0ZMoK3xTD7f
 
+FNCzlXjX/Aie2dit8QXA03pSrOTbaMnxON3hUL47Lz3g1SC6YJEMVHr0zYq4elWi
 
+i3ecFEgzLcj+pZM5X6qWu2Ozz4vWx3JYo1/a/HYdOuW9e3lwS8VtS0AVJA+U8X0A
 
+hZnBmGpltHhO8hPKHgkJtkTUxCheTcbqn4wGHl8Z2SediDcPTLwqezWKUfrYzu1f
 
+o/j3WFwFs6GtK4wdYtiXr+yspBZHO3y1udf8eFFGcb2V3EaLOrtfur6XQVizjOuk
 
+8lw5zzse1Qp/klHqbDRsjSzJ6iL6F4aynBc6Euqt/8ccNAIz0rLjLhOraeyj4eNn
 
+8iokwMKiXpcrQLTKH+RH1JCuOVxQ436bJwbSsp1VwiqftPQieN+tzqy+EiHJJmGf
 
+TBAbWcncicCk9q2md+AmhNbvHO4PWbbz9TzC7HJb460jyWeuMEvw3gNIpEo2jYa9
 
+pMV6cVqnSa+wOc0D7pC9a6bne0bvLcm3S+w6I5iDB3lZsb3A9UtRiSP7aGSo7D72
 
+8tC8+cIgZcI7k9vjvOqH+d7sdOU2yPCnRY6wFh62/g8bDnUpr56nZN1G89GwM4d4
 
+r/TU7BQQIzsZgAiqOGXvVklIgAMiV0iucgf3rNBLjjeNEwNSTTG9F0CtQ+7JLwaE
 
+wSEuAuRm+pRqi8BRnQ/GKUcCAwEAAQ==
 
+-----END PUBLIC KEY-----
 
+DEVPUBKEY
 
+);
 
+                file_put_contents($home.'/keys.tags.pub', <<<TAGSPUBKEY
 
+-----BEGIN PUBLIC KEY-----
 
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0Vi/2K6apCVj76nCnCl2
 
+MQUPdK+A9eqkYBacXo2wQBYmyVlXm2/n/ZsX6pCLYPQTHyr5jXbkQzBw8SKqPdlh
 
+vA7NpbMeNCz7wP/AobvUXM8xQuXKbMDTY2uZ4O7sM+PfGbptKPBGLe8Z8d2sUnTO
 
+bXtX6Lrj13wkRto7st/w/Yp33RHe9SlqkiiS4MsH1jBkcIkEHsRaveZzedUaxY0M
 
+mba0uPhGUInpPzEHwrYqBBEtWvP97t2vtfx8I5qv28kh0Y6t+jnjL1Urid2iuQZf
 
+noCMFIOu4vksK5HxJxxrN0GOmGmwVQjOOtxkwikNiotZGPR4KsVj8NnBrLX7oGuM
 
+nQvGciiu+KoC2r3HDBrpDeBVdOWxDzT5R4iI0KoLzFh2pKqwbY+obNPS2bj+2dgJ
 
+rV3V5Jjry42QOCBN3c88wU1PKftOLj2ECpewY6vnE478IipiEu7EAdK8Zwj2LmTr
 
+RKQUSa9k7ggBkYZWAeO/2Ag0ey3g2bg7eqk+sHEq5ynIXd5lhv6tC5PBdHlWipDK
 
+tl2IxiEnejnOmAzGVivE1YGduYBjN+mjxDVy8KGBrjnz1JPgAvgdwJ2dYw4Rsc/e
 
+TzCFWGk/HM6a4f0IzBWbJ5ot0PIi4amk07IotBXDWwqDiQTwyuGCym5EqWQ2BD95
 
+RGv89BPD+2DLnJysngsvVaUCAwEAAQ==
 
+-----END PUBLIC KEY-----
 
+TAGSPUBKEY
 
+);
 
             }
 
 
-            // if still no file is present it means we are on CI/travis or
 
-            // not interactive so we skip the check for now
 
-            if (file_exists($sigFile)) {
 
-                $pubkeyid = openssl_pkey_get_public($sigFile);
 
-                $algo = defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'SHA384';
 
-                if (!in_array('SHA384', openssl_get_md_methods())) {
 
-                    throw new \RuntimeException('SHA384 is not supported by your openssl extension, could not verify the phar file integrity');
 
-                }
 
-                $signature = json_decode($signature, true);
 
-                $signature = base64_decode($signature['sha384']);
 
-                $verified = 1 === openssl_verify(file_get_contents($tempFilename), $signature, $pubkeyid, $algo);
 
-                openssl_free_key($pubkeyid);
 
-                if (!$verified) {
 
-                    throw new \RuntimeException('The phar signature did not match the file you downloaded, this means your public keys are outdated or that the phar file is corrupt/has been modified');
 
-                }
 
+            $pubkeyid = openssl_pkey_get_public($sigFile);
 
+            $algo = defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'SHA384';
 
+            if (!in_array('SHA384', openssl_get_md_methods())) {
 
+                throw new \RuntimeException('SHA384 is not supported by your openssl extension, could not verify the phar file integrity');
 
+            }
 
+            $signature = json_decode($signature, true);
 
+            $signature = base64_decode($signature['sha384']);
 
+            $verified = 1 === openssl_verify(file_get_contents($tempFilename), $signature, $pubkeyid, $algo);
 
+            openssl_free_key($pubkeyid);
 
+            if (!$verified) {
 
+                throw new \RuntimeException('The phar signature did not match the file you downloaded, this means your public keys are outdated or that the phar file is corrupt/has been modified');
 
             }
 
         }
 
 
@@ -199,7 +223,7 @@ EOT
 
     protected function fetchKeys(IOInterface $io, Config $config)
 
     {
 
         if (!$io->isInteractive()) {
 
-            throw new \RuntimeException('Public keys are missing and can not be fetched in non-interactive mode, run this interactively or re-install composer using the installer to get the public keys set up');
 
+            throw new \RuntimeException('Public keys can not be fetched in non-interactive mode, please run Composer interactively');
 
         }
 
 
         $io->write('Open <info>https://composer.github.io/pubkeys.html</info> to find the latest keys');