With OpenSSL Phar already supports one public/private key algorithm. As using Phars as command line tools is in principle a question of Trust, a Trust based Identity Tool like GnuPG looks like a good match for me.
Iam already aware, that it would probably only work for people, who installed the GnuPG extension for php. Why I think this feature makes sense: Tools like Composer are an important part of PHP projects today, but people often use it in not complete secure ways. For example it is often writeable by the current user, where it is easy to mess around with the content of phars. And there is currently no way to detect, if someone messed with it, as all existing signatures are easy to mess analog with it. For GnuPG you have the keyring in a secure place, which can not get messed with. A problem I see here, how it could be enforced to verify via GnuPG, as an attacker could also change the used algorithm. Now My Questions are: * Do I need/should to modify the Phar code to support this new type? * should the main logic be part of the Phar code, the GnuPG extension, or a complete new one? * is there someone I should talk about this before to get maybe valuable knowledge? * Anything else I should look out for? Best Regards Flyingmana -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
