Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.
The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. […] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.
He shares some of the steps he’s taken to secure his own phar for a CLI application with things like:
- Distribute the PHAR over HTTPS
- Enforce TLS verification
- Sign your PHAR with a private key
- Avoid PHAR Installer scripts
- Manage Self-Updates securely
He finishes the post with one of the most important parts of the article – a reminder to do all of the things on the list above consistently.
This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.