I want to distribute some PHP sourcecode, I need to provide a way to verify that these sourcecode aren't altered.
So basically I want to sign them (if possible using PHP) and later to check their signature (using PHP is mandatory, it have to work both on linux and windows).
I've been digging around, and what I found is that :
- signing :
- you can create a zip archive using PharData
- you can create pub/priv using openssl.
- you can sign a PharData using Phar::setSignatureAlgorithm
- you seems to have to put the public key alongside the archive (source (read step 3)) : The public key must be named the same name as the Phar file, with .pubkey added, and must be in the same directory as your Phar.
- verifying :
- I didn't found anything, I guess that PharData::extractTo is sufficient
if anyone can validate this process (or indicate a better one), it would be a great help.
Because I tried to give what theoretical solution I found from now, but between theory and practice, their should be a gap. Especially considering that I'm new to this concept, and that it is of the uttermost importance for my project to be solid on the security aspect. I remind that using apple's signing process was a pain in the ass several years ago and I'm not confident in my ability to create secured solution.
Regarding signed phar files, the last time I checked, the default behaviour was:
Hence it is simple to bypass the protection of signing by simply stripping out the signature (actually, you just need to flag the file as not signed). You can explicitly set the phar.require_hash option which removes this backdoor in the instance.
hmmmm. this is a bit vague. Modified by whom? As above you need the client to opt-in to a security model based on phar signing.
There are a lot of third party PHP encoders which work by obfuscating the code. Almost all of them provide a laughable level of protection. A couple of exceptions are IonCube encoder and Zend's encoder. I'm not sufficiently familiar with these to say how strong they are and whether they meet your requirement.
There were a couple of open source PHP compilers which would convert PHP source code to a .so extension (notably Facebook HipHop) but I don't think either are being maintained.
If you merely want to ensure that validated content is available to your customers (and you're not concerned about your customers modifying the files) then just use standard file signing with PGP or x509.
If you want to prevent your customers from modifying the PHP code, then the only option I am aware of (and haven't tested it myself) is to distribute your code as HHVM bytecode - but this is not resistant to reverse engineering, has no intrinsic, secure verification mechanism and is really not intended as a method of protecting the code.