According to https://github.com/composer/composer/issues/38 it would appear that composer does have some rudimentary verification of downloaded tarballs, in the sense that packagist publishes an sha of the download and then composer verifies that the file downloaded from github matches that hash.