php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71087 Phar - cannot use OpenSSL signatures with custom stub
Submitted: 2015-12-10 21:49 UTC Modified: -
From: securtiy at paragonie dot com Assigned:
Status: Open Package: PHAR related
PHP Version: 5.6.16 OS: Debian 8.1 Jessie with Dotdeb
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-12-10 21:49 UTC] securtiy at paragonie dot com
Description:
------------
Is there any reason why we can't use Phar::setSignatureAlgorithm() after Phar::setStub()?

https://github.com/defuse/php-encryption/pull/139

If there's a reason this shouldn't allowed, could the documentation please be updated to reflect this decision?

If this is a bug, it's breaking our ability to publish signed a .phar for defuse/php-encryption


Test script:
---------------
https://raw.githubusercontent.com/paragonie/php-encryption/29dc5e866bb08dac38fef721f3356f2e2fea76c3/other/build_phar.php

Expected result:
----------------
Silent success, but if I do this:

$phar = new \Phar(dirname(__DIR__).'/dist/defuse-crypto.phar');
$signature = $phar->getSignature();
var_dump($signature);

...it shouldn't say its "hash_type" is "SHA-1"

Actual result:
--------------
PHP Fatal error:  Uncaught exception 'PharException' with message 'unable to copy stub of old phar to new phar "/var/www/defuse/php-encryption/dist/defuse-crypto.phar"' in /var/www/defuse/php-encryption/other/build_phar.php:37
Stack trace:
#0 /var/www/defuse/php-encryption/other/build_phar.php(37): Phar->setSignatureAlgorithm(16, '-----BEGIN PRIV...')
#1 {main}
  thrown in /var/www/defuse/php-encryption/other/build_phar.php on line 37

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-10 21:58 UTC] security at paragonie dot com
In our use case, this resolved the problem...

https://github.com/paragonie/php-encryption/commit/72418c9c9c4b244523da678a629227e16840de51

...but that's a workaround, not a solution.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 02:01:25 2019 UTC