Private PHP packages can be installed using Composer. We need a little extra configuration in the composer.json file and then we setup our SSH key. Follow along with these 3 easy steps, and don’t miss the caveat at the end.
1/25 update: provided a safer way to add a host to the known_hosts file. Thanks George for pointing this out!
1. Point to the Git repository
Update composer.json and add a repository:
"repositories":[
{
"type": "vcs",
"url": "[email protected]:barryvanveen/secret.git"
}
]
2. Create an SSH key
Create an SSH Key on the machine on which you want to install the package.
If you are working on a development machine, you probably want to add the SSH key to your GitHub/BitBucket/GitLab account. This gives access to all private repositories that your account has access to.
- Add an SSH key to a GitHub account
- Add an SSH key to a BitBucket account
- Add an SSH key to a GitLab account
In case you are configuring a deployment server, it would be better to configure an access key or deploy key. An access key only provides access to a single repository and thus allows for more specific access management.
- Add a deploy key to a GitHub repository
- Add an access key to a BitBucket repository
- Add a deploy key to a GitLab repository
3. Run composer
Now just composer require or composer install the package as usual.
Caveat: add an SSH fingerprint to known hosts
The first time you use an SSH key on a new hostname, it will show you a warning like this:
The authenticity of host '123.123.123.123 (123.123.123.123)' can't be established.
RSA key fingerprint is a1:b2:c3:d4:e5:f6:6f:5e:4d:3c:2b:1a:00:11:22:33.
Are you sure you want to continue connecting (yes/no)?
This serves as an extra layer of protection to prevent you from mistakenly connecting to an unknown host. This does however pose some problems if you want to use SSH keys to automate tasks.
That is why we want to trigger this warning manually and avoid it from popping up in the future. This can be done using the following command:
ssh -T [email protected]
Naturally, you should replace [email protected] with the hostname of your private repository. This command will invoke the warning that is listed above. You can verify the fingerprint with the list of fingerprints in your GitHub/BitBucket/GitLab account.
After confirming this warning the SSH fingerprint will be added to the list of known hosts and this will prevent the warning from popping up again.