composer: Can't install anything, man-in-the-middle attack warning

Hi, I’ve Googled this but failed to find a solution. I’ve just installed Wampserver, then installed Composer on WIndows 7, and this is my first time using Composer. I have a fairly simple composer.json file copied from the tutorial at http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/tutorials/getting-started.html:

{
    "name": "my/name",
    "description": "my description",
    "license": "proprietary",
    "require": {
        "doctrine/dbal": "2.4.*",
        "symfony/console": "2.*"
    },
    "autoload": {
        "psr-0": {"": "src/"}
    }
}

Each time I run it, and I’ve run it many times, I get this error:

Loading composer repositories with package information
Installing dependencies (including require-dev)

  [Composer\Repository\RepositorySecurityException]
  The contents of http://packagist.org/p/doctrine/dbal$d904339843d0d66d194f72
  4e7543073f5fb46ee97d2852bdc0ae96f2cd5cba38.json do not match its signature.
   This should indicate a man-in-the-middle attack. Try running composer again and report this if you think it is a mistake.

install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-plugins] [--no-custom-installers] [--no-scripts] [--no-progress] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [packages1] ... [packagesN]

Composer seems like a great idea, but I’m completely stuck as it won’t install anything at all for me! Can anyone help me sort this?

Thanks, Iain

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 67 (23 by maintainers)

Commits related to this issue

Most upvoted comments

php composer.phar config --global repo.packagist composer https://packagist.org

solved my problem thank you

+12
feridmovsumov on May 18, 2016

Same problem; located in Ecuador.

composer config --global repo.packagist composer https://packagist.org

Solved it for me. Thanks.

+5
jameswilson on Jun 24, 2016

OK, interesting. Thanks for spending time debugging it. The reason we drop down to http after the initial file is that we use the sha256 checksums to verify that the following files have not been altered. Using https all the way is slower because of the handshake time, I don’t think it’s possible to keep a connection open with php streams. If I’m wrong on that then it would be very helpful and allow us to keep it https all the way.

What you can do to work around it though is run this: composer config -ge then add this repository definition in that file to override the default:

{
    "repositories": {
        "packagist": { "url": "https://packagist.org", "type": "composer" }
    }
}

This will remove the allow_ssl_downgrade=true that’s there by default, and it should make it use https always.

+5
Seldaek on Mar 26, 2014

PS I have run composer diagnose, and everything comes back OK.

+1
iainfogg on Mar 23, 2014
Read more comments on GitHub
← composer: Can't get "path" repository to work - possible bug?
composer: Can't re-install or self-update composer →