With tooly composer-script you can version needed PHAR files in your project's composer.json without adding them directly to a VCS,

Every PHAR file will be saved in the composer binary directory.


An real example can be found here.



To use the script execute the following command:

composer require --dev tm/tooly-composer-script

Then add the script in the composer.json under "scripts" with the event names you want to trigger. For example:


"scripts": {

    "post-install-cmd": "Tooly\\ScriptHandler::installPharTools",

    "post-update-cmd": "Tooly\\ScriptHandler::installPharTools"



Look here for more informations about composer events.

Sample usage

The composer.json scheme has a part "extra" which is used for the script. Its described here.

In this part you can add your needed phar tools under the key "tools".


"extra": {


    "tools": {

      "phpunit": {

        "url": "",

        "sign-url": ""


      "phpcpd": {

        "url": "",

        "only-dev": true


      "security-checker": {

        "url": "",

        "force-replace": true







url (required)

After you add the name of the tool as key, you need only one further parameter. The "url". The url can be a link to a specific version, such as x.y.z, or a link to the latest version for this phar.

sign-url (optional, default none)

If this parameter is set tooly checks if the PHAR file in url has a valid signature by comparing signature in sign-url.

This option is useful if you want to be sure that the tool is from the expected author.

Note: For the check you need a further requirement and a GPG binary in your $PATH variable.

You can add the requirement with this command: composer require tm/gpg-verifier

This check often fails if you dont has the public key from the tool author in your GPG keychain.

force-replace (optional, default false)

Every time you update or install with composer the phar tools are checked. You are asked if you want to overwrite the existing phar if the remote and local phar has not the same checksum.

Except you set this parameter.

This option is useful if you has a link to the latest version of a tool and always want a replacement. Or you run composer in non-interactive mode (for example in a CI system) and want a replacement.

But is also useful if some require-dev library has one of the tools as own requirement.

only-dev (optional, default true)

This parameter means that this phar is only needed in developing mode. So the command composer [install|update] --no-dev ignores this phar tool.

Note: Therefore tooly must be a no-dev requirement


You're free to use this package (it's MIT-licensed), but if it makes you happy it would be a great pleasure for me if you send a postcard from your hometown to me. My address is: Tommy Muehle, Hepkestr. 177, 01277 Dresden, Germany.

The postcards will get published on my website.