From f170cd177fbffc371aa3a48632936fda815aed59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20FIDRY?= <theo.fidry@gmail.com>
Date: Sat, 21 Oct 2023 18:09:30 +0200
Subject: [PATCH] feat: Deprecate OpenSSL signing

Closes #878.
---
 src/Configuration/Configuration.php           |  7 +++++
 .../ConfigurationSigningTest.php              | 28 ++++++++++++++++---
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/Configuration/Configuration.php b/src/Configuration/Configuration.php
index b8e974f55..c7ae2b3d1 100644
--- a/src/Configuration/Configuration.php
+++ b/src/Configuration/Configuration.php
@@ -2292,6 +2292,13 @@ private static function retrieveSigningAlgorithm(stdClass $raw, ConfigurationLog
             self::addRecommendationForDefaultValue($logger, self::ALGORITHM_KEY);
         }
 
+        if (Phar::OPENSSL === $algorithm) {
+            $logger->addWarning(
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check '
+                .'https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            );
+        }
+
         return $algorithm;
     }
 
diff --git a/tests/Configuration/ConfigurationSigningTest.php b/tests/Configuration/ConfigurationSigningTest.php
index 91e6b38e4..0e907afed 100644
--- a/tests/Configuration/ConfigurationSigningTest.php
+++ b/tests/Configuration/ConfigurationSigningTest.php
@@ -245,7 +245,12 @@ public function test_the_key_can_be_configured(): void
         self::assertFalse($this->config->promptForPrivateKey());
 
         self::assertSame([], $this->config->getRecommendations());
-        self::assertSame([], $this->config->getWarnings());
+        self::assertSame(
+            [
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            ],
+            $this->config->getWarnings(),
+        );
     }
 
     public function test_the_key_pass_can_be_configured(): void
@@ -263,7 +268,12 @@ public function test_the_key_pass_can_be_configured(): void
         self::assertTrue($this->config->promptForPrivateKey());
 
         self::assertSame([], $this->config->getRecommendations());
-        self::assertSame([], $this->config->getWarnings());
+        self::assertSame(
+            [
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            ],
+            $this->config->getWarnings(),
+        );
 
         foreach ([false, null] as $keyPass) {
             $this->setConfig([
@@ -283,7 +293,12 @@ public function test_the_key_pass_can_be_configured(): void
                 );
             }
 
-            self::assertSame([], $this->config->getWarnings());
+            self::assertSame(
+                [
+                    'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+                ],
+                $this->config->getWarnings(),
+            );
         }
 
         $this->setConfig([
@@ -297,7 +312,12 @@ public function test_the_key_pass_can_be_configured(): void
         self::assertFalse($this->config->promptForPrivateKey());
 
         self::assertSame([], $this->config->getRecommendations());
-        self::assertSame([], $this->config->getWarnings());
+        self::assertSame(
+            [
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            ],
+            $this->config->getWarnings(),
+        );
     }
 
     public static function passFileFreeSigningAlgorithmProvider(): iterable