25Şub
Does PHP’s Composer provide cryptographic authentication and integrity validation?
Does PHP's Composer package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps asking the user to install PHP dependencies with composer require .... I usually don't do this as I trust my OS package manager (ie apt) to actually validate the origin/trust and integrity of the package before installing it.
Does composer provide cryptographic authentication and integrity checks for all items downloaded before installing them by default?
Note: Transport validation via X.509 does not count as a valid auth/integrity check.
