[英]How PHAR signature prevents tampering with files?
I am wondering if it is possible to reuse a signature of a PHAR file. 我想知道是否可以重用PHAR文件的签名。 As it is described in the manual , each file has a manifest, which contains a lot of things which can be faked, and 4 bytes of CRC32 checksum, which is a poor choice (md5 or sha1 would be much secure), but can be faked harder than other stuff. 如手册中所述 ,每个文件都有一个清单,其中包含很多可以伪造的东西,以及4个字节的CRC32校验和,这是一个较差的选择(md5或sha1会很安全),但可以比其他东西更难伪造。 I have doubts about the validity of checksum used by creating the signature for verifying. 我对创建用于验证的签名所使用的校验和的有效性表示怀疑。 I mean it is slow to create a checksum by every inclusion of the phar file, but adding a manifest cache, which contains the checksum is not an option, if you want to stay secure (because it is relatively easy to modify this cache, if it is stored in the phar file). 我的意思是,每次包含phar文件都很难创建校验和,但是如果要保持安全性,则不可以选择添加包含校验和的清单缓存(因为修改此缓存相对容易,如果它存储在phar文件中)。 Do you know how phar packages solve this in a fast way? 您知道phar软件包如何快速解决此问题吗?
The documentation is rather hard to follow, and in some places out of date, but the verification seems to be as follows: 该文档很难遵循,并且在某些地方已经过时,但是验证似乎如下:
Your question talks of the speed of the signing and verifying process, and this is a key part of your suspicion that an insecure algorithm might be in play. 您的问题是关于签名和验证过程的速度,这是您怀疑算法不安全的关键部分。 Wikipedia summarises the performance of SHA-256/512 as 200 to 300 MiB/second on an inexpensive 64-bit CPU. Wikipedia总结在便宜的64位CPU上SHA-256 / 512的性能为200到300 MiB /秒。 Since a PHAR archive is unlikely to be as large as 200MiB, and since signature verification is performed on-demand, not on every execution (at least, I think so), the fraction of a second to hash the whole file is unlikely to be an issue. 由于PHAR归档文件不可能大到200MiB,并且由于签名验证是按需执行的,而不是不是每次执行时都执行(至少,我认为是这样),所以散发整个文件的时间不到一秒钟一个问题。 (Creation of the signature can also be postponed until all files are added, so again has no requirement for higher speed.) (签名的创建也可以推迟到所有文件都添加完之后,因此也不需要更高的速度。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.