Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90749
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <D4.77.22511.DF500A65@pb1.pair.com>
To: internals@lists.php.net
Date: Wed, 20 Jan 2016 23:11:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: GnuPG support for Phar Signatures
From: flyingmana@googlemail.com (Flyingmana)

With OpenSSL Phar already supports one public/private key algorithm.
As using Phars as command line tools is in principle a question of
Trust, a Trust based Identity Tool like GnuPG looks like a good match
for me.

Iam already aware, that it would probably only work for people, who
installed the GnuPG extension for php.

Why I think this feature makes sense:
Tools like Composer are an important part of PHP projects today, but
people often use it in not complete secure ways. For example it is often
writeable by the current user, where it is easy to mess around with the
content of phars. And there is currently no way to detect, if someone
messed with it, as all existing signatures are easy to mess analog with it.
For GnuPG you have the keyring in a secure place, which can not get
messed with.
A problem I see here, how it could be enforced to verify via GnuPG, as
an attacker could also change the used algorithm.

Now My Questions are:
 * Do I need/should to modify the Phar code to support this new type?
 * should the main logic be part of the Phar code, the GnuPG extension,
or a complete new one?
 * is there someone I should talk about this before to get maybe
valuable knowledge?
 * Anything else I should look out for?

Best Regards
Flyingmana