Composer isn't one file, and doesn't use zip format, or signed hashes as far as I know. The sources could be compromised, for instance. And it couldn't be 'simply installed' by an average joe
* Composer is one file. It's a .phar (as described by @az09mugen)
* I think in typical use, Composer is installing via Packagist.org, which is typically pointed at a GitHub repo, and it is the repo's zip file that is downloaded to your computer. You can look in composer.lock and see `"type": "zip"` throughout
* It definitely has some sort of hash verification in the PostFileDownloadEvent class. I've never used it to know if it would satisfy your need
Similarly, WP CLI is a .phar file which can then install additional packages. It's really just using Composer under the hood.
EGreg|1 year ago
BrianHenryIE|1 year ago
* I think in typical use, Composer is installing via Packagist.org, which is typically pointed at a GitHub repo, and it is the repo's zip file that is downloaded to your computer. You can look in composer.lock and see `"type": "zip"` throughout
* It definitely has some sort of hash verification in the PostFileDownloadEvent class. I've never used it to know if it would satisfy your need
Similarly, WP CLI is a .phar file which can then install additional packages. It's really just using Composer under the hood.