See the security breach at PEAR https://twitter.com/pear/status/1086634389465956352 Composer uses two **different** source for signature and payload: - https://composer.github.io/installer.sig - https://getcomposer.org/installer Please consider adding it. Thank you!