PHP projects drift quickly when each workstation resolves dependencies a little differently. To install Composer on Ubuntu, use the Ubuntu repository package for the distro-managed path, or use the upstream installer from getcomposer.org when your project needs the latest Composer 2 release.
Ubuntu 26.04 LTS (resolute), Ubuntu 24.04 LTS (noble), and Ubuntu 22.04 LTS (jammy) are in scope. APT provides different Composer package series on each release, while the official installer follows Composer’s latest stable 2.x channel on supported Ubuntu releases with PHP 8.1 or newer.
Install Composer on Ubuntu
Composer has two practical install paths on Ubuntu. The APT package is easier to maintain because normal system updates handle it, while the official installer gives developers the current upstream release as a standalone composer binary.
| Method | Source | Current result | Best fit |
|---|---|---|---|
| Ubuntu APT package | Ubuntu universe package | Release-specific Composer package managed by APT | Most users, servers, CI images, and systems that should follow Ubuntu package updates |
| Official upstream installer | getcomposer.org download page | Latest stable Composer 2 release from getcomposer.org | Developers who need current Composer features, a project-local composer.phar, or a version newer than Ubuntu 24.04 and 22.04 provide |
Composer Package Versions on Ubuntu
Ubuntu package versions matter because the APT method differs by release. Ubuntu 26.04 is close to the current upstream branch, but Ubuntu 24.04 and 22.04 carry older Composer builds.
| Ubuntu release | APT Composer series | Default PHP CLI package | Method note |
|---|---|---|---|
| Ubuntu 26.04 LTS (resolute) | 2.9.x | PHP 8.5.x | APT is current enough for most projects, but still updates through Ubuntu packages rather than composer self-update. |
| Ubuntu 24.04 LTS (noble) | 2.7.x | PHP 8.3.x | APT is stable and adequate for many projects; use the upstream installer if you need current Composer 2 behavior. |
| Ubuntu 22.04 LTS (jammy) | 2.2.x | PHP 8.1.x | APT provides the older 2.2 LTS line; use the upstream installer for the latest Composer 2 release. |
The APT package comes from Ubuntu’s universe component. Standard Ubuntu installs usually have universe enabled, but minimal or customized systems may need to enable it first; the Ubuntu universe and multiverse guide covers that package-source setup.
Install Composer with APT
Use the APT method when you want Composer to follow Ubuntu’s tested package set and update through normal system maintenance. Refresh the package index first:
sudo apt updateThese commands use
sudofor system-level package management. If your user cannot run sudo yet, use a root shell or follow the guide to add a new user to sudoers on Ubuntu.
Install the Composer package:
sudo apt install composerThe equivalent sudo apt-get install composer command targets the same Ubuntu package. The shorter apt form is clearer for interactive terminal sessions, while scripts can keep using apt-get.
Verify the installed Composer version:
composer --versionOn Ubuntu 26.04, relevant output includes:
Composer version 2.9.5 2026-01-29 11:40:53 PHP version 8.5.4 (/usr/bin/php8.5) Run the "diagnose" command to get more detailed diagnostics output.
Ubuntu 24.04 reports a Composer 2.7.x build, and Ubuntu 22.04 reports a Composer 2.2.x build from the default APT package. Those older series are expected for the repository method.
Install Latest Composer with the Official Installer
Use the upstream installer when the project needs the current stable Composer release rather than the version packaged for your Ubuntu release. The installer downloads a composer.phar file, and the hash check confirms the installer script matches the checksum published by Composer.
Prepare PHP and Download Tools
Install PHP CLI and the common extensions Composer uses in real projects:
sudo apt update
sudo apt install curl php-cli php-zip php-curl php-mbstring git unzip ca-certificatesThe package set covers the normal Composer workflow:
curldownloads the installer and checksum; the curl command guide explains its common flags.php-cliruns PHP scripts from the terminal, including Composer itself.php-zip,php-curl,php-mbstring, andunzipprevent common package extraction and performance warnings.- Git on Ubuntu lets Composer clone packages that resolve through source repositories instead of archives.
ca-certificateskeeps TLS certificate validation working when Composer contacts getcomposer.org, Packagist, and GitHub.
Verify the Composer Installer Hash
Download the current installer and compare its SHA-384 hash with the checksum Composer publishes separately:
EXPECTED_CHECKSUM=$(curl -fsSL https://composer.github.io/installer.sig)
curl -fsSL https://getcomposer.org/installer -o /tmp/composer-setup.php
ACTUAL_CHECKSUM=$(php -r "echo hash_file('sha384', '/tmp/composer-setup.php');")
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]; then
rm /tmp/composer-setup.php
echo "Installer corrupt"
exit 1
fi
echo "Installer verified"A valid download returns:
Installer verified
If the check reports Installer corrupt, do not run the installer. Download it again after checking your network, proxy, or TLS setup.
Install Composer Globally
Install the verified Composer binary into /usr/local/bin so every user can run composer from the shell:
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composerThe installer confirms settings, downloads the current phar, and reports the final path; the exact version line changes as Composer publishes updates:
All settings correct for using Composer Downloading... Composer (version 2.9.7) successfully installed to: /usr/local/bin/composer Use it: php /usr/local/bin/composer
Confirm the active Composer binary:
composer --versionComposer prints the active stable release; the exact patch version changes as Composer publishes updates. Current output includes:
Composer version 2.9.7 2026-04-14 13:31:52
Install Composer.phar for One Project
A project-local composer.phar keeps Composer inside the current repository instead of installing a global command. Run this from the project directory after the installer hash has passed:
php /tmp/composer-setup.php --install-dir="$PWD" --filename=composer.phar
php composer.phar --versionRun local Composer commands as php composer.phar install or php composer.phar update. Most projects use a global Composer binary and commit composer.json plus composer.lock, not the downloaded composer.phar, unless the team intentionally vendors Composer itself.
Clean Up the Installer
Remove the setup script after the global or local installation succeeds:
rm -f /tmp/composer-setup.phpAvoid Mixing APT and Upstream Composer
APT installs Composer as /usr/bin/composer, while the upstream global install uses /usr/local/bin/composer. Ubuntu normally checks /usr/local/bin first, so a source-installed Composer can silently override the APT package. Choose one method per system unless you intentionally want that path precedence.
Manage PHP Dependencies with Composer
Composer does more than install itself. It records dependency constraints in composer.json, writes exact resolved versions to composer.lock, and downloads project packages into vendor/.
Use composer install vs composer update
composer install reads composer.lock and restores the exact package versions already chosen for the project. Use it after cloning a repository, deploying code, or running CI jobs.
composer installFor production deployments that already have a committed composer.lock, add --no-dev to skip installing development-only packages from require-dev. The optional autoloader flag makes class loading more efficient for deployed code; create or update the lock file during development before using this deployment command.
composer install --no-dev --optimize-autoloadercomposer update asks Packagist for newer versions that still match your constraints and rewrites composer.lock. Use it during development when you intentionally want dependency changes.
composer updateTo update one dependency and leave the rest of the lock file mostly unchanged, name the package explicitly:
composer update monolog/monologAdd a Composer Dependency
Inside a PHP project directory, add packages with composer require. This example installs Monolog, a common logging library:
composer require monolog/monolog --no-interactionRelevant output includes:
Using version ^3.10 for monolog/monolog ./composer.json has been created Running composer update monolog/monolog Loading composer repositories with package information Updating dependencies Lock file operations: 2 installs, 0 updates, 0 removals - Locking monolog/monolog (3.10.0) - Locking psr/log (3.0.2) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 2 installs, 0 updates, 0 removals Generating autoload files
After the command finishes, the project has three important Composer files or directories:
composer.jsonrecords the dependency names and version constraints you requested.composer.lockpins the exact package versions Composer resolved.vendor/stores downloaded packages plus Composer’s generated autoloader.
Use Composer Autoloading
Require Composer’s generated autoloader once, then use package classes normally in your PHP code:
<?php
require __DIR__ . '/vendor/autoload.php';
use Monolog\Logger;
use Monolog\Handler\StreamHandler;
$log = new Logger('app');
$log->pushHandler(new StreamHandler('app.log', Logger::WARNING));
$log->warning('This is a warning message');
$log->error('This is an error message');Save the file as script.php, then run it from the same project directory:
php script.phpThe script writes log entries to app.log:
[2026-04-29T06:59:59.543126+08:00] app.WARNING: This is a warning message [] [] [2026-04-29T06:59:59.544890+08:00] app.ERROR: This is an error message [] []
Check Composer Health and Directories
Composer includes a diagnostic command that checks PHP settings, Git access, Packagist connectivity, disk space, and archive support:
composer diagnoseRelevant output from a healthy Ubuntu 22.04 APT installation includes:
Checking platform settings: OK Checking git settings: OK Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking github.com rate limit: OK Checking disk free space: OK Composer version: 2.2.6 PHP version: 8.1.2 PHP binary path: /usr/bin/php8.1
Composer stores downloaded package archives in the cache directory, usually ~/.cache/composer, and global Composer packages under the Composer home directory, usually ~/.config/composer. Use Composer’s own config command to confirm the paths for your account:
composer config cache-dir --global
composer config home --globalUpdate Composer on Ubuntu
The update path depends on how Composer was installed. APT packages update through Ubuntu repositories, while the upstream binary can update itself from getcomposer.org.
Update APT-Installed Composer
Refresh APT metadata and upgrade only the Composer package if Ubuntu has published a newer build:
sudo apt update
sudo apt install --only-upgrade composerDo not use composer self-update for the Ubuntu package. The Debian and Ubuntu packaged builds intentionally disable or omit that command, so an error like this means you should update through APT instead:
Command "self-update" is not defined.
Update Upstream Composer
Composer installed from getcomposer.org can update itself. Because the global binary lives under /usr/local/bin, use sudo for the system-wide install:
sudo composer self-updateIf the binary is already current, Composer reports that you are using the latest available stable version. Otherwise, it downloads the newer composer.phar and replaces the existing binary.
Composer’s latest stable channel is the right default for supported Ubuntu releases. The Composer 2.2 LTS channel exists for older PHP 5.3 to 7.1 environments, but Ubuntu 22.04 and newer provide PHP versions that can run the current Composer 2 release.
Troubleshoot Composer on Ubuntu
Fix Installer Hash Verification Failures
If the installer hash check fails, remove the downloaded script and fetch both files again. A stale proxy cache, interrupted download, or modified response can cause the mismatch.
rm -f /tmp/composer-setup.php
EXPECTED_CHECKSUM=$(curl -fsSL https://composer.github.io/installer.sig)
curl -fsSL https://getcomposer.org/installer -o /tmp/composer-setup.php
ACTUAL_CHECKSUM=$(php -r "echo hash_file('sha384', '/tmp/composer-setup.php');")
if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]; then
rm /tmp/composer-setup.php
echo "Installer corrupt"
exit 1
fi
echo "Installer verified"Fix Could Not Open composer-setup.php
The error below means PHP cannot find the installer file in the current path:
Could not open input file: composer-setup.php
Use the absolute /tmp/composer-setup.php path from this article, or change into the directory where you downloaded the installer before running PHP:
ls -l /tmp/composer-setup.php
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composerFix PHP Extension or Slow Composer Warnings
Composer can run with a small PHP setup, but missing extensions often make installs slower or break packages that need archive extraction and string handling. Check the PHP version and loaded modules:
php -v
php -m | grep -E 'curl|zip|mbstring'If Composer warns that it is slower than normal because the PHP cURL extension is missing, or if package extraction fails because ZIP support is absent, install the common Composer extension set:
sudo apt install php-cli php-zip php-curl php-mbstring unzipFix SSL Certificate Verification Errors
Errors mentioning certificate verify failed, failed to enable crypto, or a failed download from https://getcomposer.org/versions usually point to missing or outdated CA certificates, a proxy, or an incorrect system clock. Start by reinstalling Ubuntu’s certificate bundle:
sudo apt install --reinstall ca-certificates
sudo update-ca-certificatesIf the error continues, verify the system date and inspect any corporate proxy or TLS interception layer before rerunning Composer.
Handle Permission Denied in /usr/local/bin
If the installer cannot write to /usr/local/bin, install Composer into your home directory first, then use sudo install to copy it into the system path with executable permissions:
php /tmp/composer-setup.php --install-dir="$HOME" --filename=composer
sudo install -m 0755 "$HOME/composer" /usr/local/bin/composer
rm "$HOME/composer"The install -m 0755 command copies the file and sets it readable and executable by all users, which matches the normal permission pattern for commands in /usr/local/bin.
Fix COMPOSER_HOME or HOME Errors
If Composer says The HOME or COMPOSER_HOME environment variable must be set for composer to run correctly, run Composer from a normal login shell instead of a stripped service environment. For one shell session, set Composer’s home directory explicitly:
export COMPOSER_HOME="$HOME/.config/composer"
mkdir -p "$COMPOSER_HOME"For systemd services, cron jobs, or CI runners, set HOME or COMPOSER_HOME in that job’s environment instead of relying on an interactive shell profile.
Remove Composer from Ubuntu
Use the removal path that matches the install method. If you used both APT and the upstream installer, remove both binaries so PATH precedence does not leave another Composer command behind.
Remove APT-Installed Composer
Remove the Ubuntu package first:
sudo apt remove composerVerify the package is no longer installed:
if dpkg-query -W -f='${db:Status-Abbrev}\n' composer 2>/dev/null | grep -q '^ii'; then
echo "composer package is still installed"
else
echo "composer package is not installed"
ficomposer package is not installed
Composer can install many PHP libraries as dependencies. Preview APT’s cleanup list before removing autoremovable packages, especially on reused desktops or servers where unrelated packages may also be marked autoremovable:
sudo apt autoremove --dry-runIf the preview only contains packages you no longer need, run the cleanup:
sudo apt autoremoveRemove Upstream Composer
For the upstream global install, delete the binary from /usr/local/bin and clear the current shell’s command lookup cache:
sudo rm -f /usr/local/bin/composer
hash -r
command -v composer || echo "composer not found"composer not found
If the command instead prints /usr/bin/composer, the APT package is still installed and is now the active Composer binary.
Remove Composer Cache and Global Packages
Composer cache and global package directories live in the user account, not in the APT package database. Clear the package archive cache first when Composer is still available:
composer clear-cacheThe following commands permanently delete cached packages, global Composer packages, and user-level Composer configuration. Back up anything under these directories first if you installed global tools such as Laravel Installer or custom Composer plugins.
rm -rf ~/.cache/composer
rm -rf ~/.config/composer
rm -rf ~/.composerConclusion
Composer is ready on Ubuntu with either a distro-managed APT package or the current upstream binary, so PHP projects can restore dependencies, lock versions, and load libraries consistently. For a fuller development stack, pair it with Install PHP on Ubuntu or configure web delivery with Nginx FastCGI Cache on Ubuntu.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>