Download the PHP package roave/composer-gpg-verify without Composer

On this page you can find all versions of the php package roave/composer-gpg-verify. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package composer-gpg-verify

Composer GPG signature verification plugin

Packagist Build Status Scrutinizer Code Quality Code Coverage

This package provides pluggable composer tag signature verification.

Specifically, all this package does is stop the installation process when an un-trusted package is encountered.

The aim of this package is to be a first reference implementation to be later used in composer itself to enforce good dependency checking hygiene.

Usage

This package provides no usable public API, but will only act during the composer installation setup:

Please note that the above may already fail if you have un-trusted dependencies. In order to skip the checks provided by this package, use the --no-scripts flag if you didn't yet figure out your un-trusted dependencies:

Trusted dependencies

This package extensively uses GPG to validate that all downloaded dependencies have a good and trusted GIT tag or commit signature.

At this moment, the package will just use your local GPG trust database to determine which signatures are to be trusted or not, and will not mess with it other than reading from it.

In practice, this means that:

While this must sound like a useless complication to most users, as they just trust packagist to provide "good" dependencies, these may have been forged by an attacker that stole information from your favorite maintainers.

Good dependency hygiene is extremely important, and this package encourages maintainers to always sign their releases, and users to always check them.

Trusting someone's work

Assuming that you downloaded a signed package, you will likely get the following failure during the first installation:

This means that some-vendor/some-package is not trusted.

That AABBCCDDEEFF1122 is the key you are missing. Let's download it:

Now the key is in your local DB, but it isn't yet trusted.

IMPORTANT: do not blindly trust or sign other people's GPG keys - only do so if you effectively know that the key is provided by them, and you know them at least marginally. Usually, contacting the key author is the best way to check authenticity.

To trust a key, you can edit it:

Alternatively, if you want to sign the gpg key, you can create a local signature:

If you really trust a key, you can create a generic signature that may be uploaded:

Once you did any of the above (signing or trusting), then you may resume your composer installation or upgrade process.

Examples

Please refer to the examples directory for running examples in your system. All examples are designed in a way that will leave your current GPG settings untouched.

Limitations

This package still has few serious limitations:

These limitations will eventually be softened as development of further versions of the library continues.


All versions of composer-gpg-verify with dependencies

PHP Build Version
Package Version
Requires php Version ^7.1.4
composer-plugin-api Version ^1.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package roave/composer-gpg-verify contains the following files

Loading the files please wait ....