Instead of hardcoding the hash, fetch the current official one dynamically:
cd /tmp
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
EXPECTED_HASH=$(curl -s https://composer.github.io/installer.sig)
ACTUAL_HASH=$(php -r "echo hash_file('sha384', 'composer-setup.php');")
if [ "$EXPECTED_HASH" = "$ACTUAL_HASH" ]; then
echo "Installer verified"
else
echo "Installer corrupt"
rm composer-setup.php
exit 1
fi
php composer-setup.php --version=2.3.10 --install-dir=/usr/local/bin --filename=composer74
rm composer-setup.phpEven simpler (if you trust HTTPS)
If you're OK skipping hash validation:
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php --version=2.3.10 --install-dir=/usr/local/bin --filename=composer74
rm composer-setup.phpFor most servers behind HTTPS, this is acceptable.