Bug 1220083 - php-composer2: composer has a broken signature
Summary: php-composer2: composer has a broken signature
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other (show other bugs)
Version: Current
Hardware: All openSUSE Tumbleweed
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: E-mail List
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-19 15:35 UTC by Felix Glaser
Modified: 2024-02-27 13:27 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Glaser 2024-02-19 15:35:31 UTC 
Composer 2.7.1 as it is currently available in Tumbleweed crashes due to a broken signature and is unsuable.

Steps to reproduce:
- launch a container based on docker.io/opensuse/tumbleweed:latest
- install the package `php-composer2`
- run `composer --version`

Expected result:
composer prints on shell: `Composer version 2.7.1 2024-02-09 15:26:28`

Actual result:
composer crashes with:
```
PHP Fatal error:  Uncaught PharException: phar "/usr/bin/composer2" has a broken signature in /usr/bin/composer2:28
Stack trace:
#0 /usr/bin/composer2(28): Phar::mapPhar()
#1 {main}
  thrown in /usr/bin/composer2 on line 28
```

Affected version:
composer 2.7.1-1.1


Additional Information:
A diffoscope comparison between the composer 2.7.1 executable from upstream (getcomposer.org) and `/usr/bin/composer2` from openSUSE's package reveals that `/usr/bin/composer2` differs only by an additional, superfluous `0xa0` at the end.
Comment 1 Felix Glaser 2024-02-20 11:59:08 UTC 
I've noticed a typo in my report, the superfluous byte at the end of `/usr/bin/composer2` is in fact `0x0a` - something in openSUSE's packaging workflow seems to add a trailing newline in the composer executable.
Comment 2 Bernd Ritter 2024-02-20 13:27:56 UTC 
The sha256 of the composer.phar in OSC is different than the original composer.phar from the upstream project:

composer.phar from OSC:
5f3d57c8cf61916bee35d1ffa567652e6ced4d7aca02749ff30e0e7efc38bfd3  composer.phar

composer.phar from upstream (https://getcomposer.org/download/2.7.1/composer.phar.sha256sum):
1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0  composer.phar
Comment 3 Bernd Ritter 2024-02-21 23:10:13 UTC 
(In reply to Bernd Ritter from comment #2)
> The sha256 of the composer.phar in OSC is different than the original
> composer.phar from the upstream project:
> 
> composer.phar from OSC:
> 5f3d57c8cf61916bee35d1ffa567652e6ced4d7aca02749ff30e0e7efc38bfd3 
> composer.phar
> 
> composer.phar from upstream
> (https://getcomposer.org/download/2.7.1/composer.phar.sha256sum):
> 1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0 
> composer.phar

I've sent a submit request to the package maintainers with a fix.
Comment 4 Bernd Ritter 2024-02-22 19:36:24 UTC 
The package's phar file now matches the SHA256 from the upstream project. The problem should be fixed now.
Comment 5 Felix Glaser 2024-02-27 13:27:34 UTC 
I can confirm that the issue is fixed.