Bug 1220083

Summary: php-composer2: composer has a broken signature
Product: [openSUSE] openSUSE Tumbleweed Reporter: Felix Glaser <glaser>
Component: OtherAssignee: E-mail List <screening-team-bugs>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: comrad
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Felix Glaser 2024-02-19 15:35:31 UTC 
Composer 2.7.1 as it is currently available in Tumbleweed crashes due to a broken signature and is unsuable.

Steps to reproduce:
- launch a container based on docker.io/opensuse/tumbleweed:latest
- install the package `php-composer2`
- run `composer --version`

Expected result:
composer prints on shell: `Composer version 2.7.1 2024-02-09 15:26:28`

Actual result:
composer crashes with:
```
PHP Fatal error:  Uncaught PharException: phar "/usr/bin/composer2" has a broken signature in /usr/bin/composer2:28
Stack trace:
#0 /usr/bin/composer2(28): Phar::mapPhar()
#1 {main}
  thrown in /usr/bin/composer2 on line 28
```

Affected version:
composer 2.7.1-1.1


Additional Information:
A diffoscope comparison between the composer 2.7.1 executable from upstream (getcomposer.org) and `/usr/bin/composer2` from openSUSE's package reveals that `/usr/bin/composer2` differs only by an additional, superfluous `0xa0` at the end.
Comment 1 Felix Glaser 2024-02-20 11:59:08 UTC 
I've noticed a typo in my report, the superfluous byte at the end of `/usr/bin/composer2` is in fact `0x0a` - something in openSUSE's packaging workflow seems to add a trailing newline in the composer executable.
Comment 2 Bernd Ritter 2024-02-20 13:27:56 UTC 
The sha256 of the composer.phar in OSC is different than the original composer.phar from the upstream project:

composer.phar from OSC:
5f3d57c8cf61916bee35d1ffa567652e6ced4d7aca02749ff30e0e7efc38bfd3  composer.phar

composer.phar from upstream (https://getcomposer.org/download/2.7.1/composer.phar.sha256sum):
1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0  composer.phar
Comment 3 Bernd Ritter 2024-02-21 23:10:13 UTC 
(In reply to Bernd Ritter from comment #2)
> The sha256 of the composer.phar in OSC is different than the original
> composer.phar from the upstream project:
> 
> composer.phar from OSC:
> 5f3d57c8cf61916bee35d1ffa567652e6ced4d7aca02749ff30e0e7efc38bfd3 
> composer.phar
> 
> composer.phar from upstream
> (https://getcomposer.org/download/2.7.1/composer.phar.sha256sum):
> 1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0 
> composer.phar

I've sent a submit request to the package maintainers with a fix.
Comment 4 Bernd Ritter 2024-02-22 19:36:24 UTC 
The package's phar file now matches the SHA256 from the upstream project. The problem should be fixed now.
Comment 5 Felix Glaser 2024-02-27 13:27:34 UTC 
I can confirm that the issue is fixed.