Just thought about hardening our Apache/PHP server installations and pondering about a general approach. Is it possible to create a configuration in that php code is only then executed, when it is "signed" or the hash sum (eg MD5) is known?
Has anyone a suggestion?
Just a head's up: I wouldn't recommend MD5 here, at all.
That being said, PHP Archives (aka Phar) support code-signing through OpenSSL. This is used in random_compat (see: random_compat.phar
and random_compat.phar.pubkey
; the .asc
file is a GPG signature of the .pubkey
file).
The code we use to generate signed Phars is located here .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.