Merge remote-tracking branch 'upstream/main' into build/vendor-bin-co…

…nfig
box-project · Jun 17, 2024 · f4b2643 · f4b2643
2 parents b91a9a4 + a1dcd9a
commit f4b2643
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 40 deletions.
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
@@ -95,7 +95,7 @@ jobs:
             # in a different workflow.
             # See https://github.com/actions/download-artifact/issues/172
             -   name: Retrieve built PHAR
-                uses: dawidd6/action-download-artifact@v3
+                uses: dawidd6/action-download-artifact@v5
                 with:
                     github_token: ${{secrets.GITHUB_TOKEN}}
                     workflow: release.yaml
@@ -150,7 +150,7 @@ jobs:
             # in a different workflow.
             # See https://github.com/actions/download-artifact/issues/172
             -   name: Retrieve built PHAR
-                uses: dawidd6/action-download-artifact@v3
+                uses: dawidd6/action-download-artifact@v5
                 with:
                     github_token: ${{secrets.GITHUB_TOKEN}}
                     workflow: release.yaml

diff --git a/.github/workflows/requirement-checker.yaml b/.github/workflows/requirement-checker.yaml
@@ -227,7 +227,7 @@ jobs:
             # in a different workflow.
             # See https://github.com/actions/download-artifact/issues/172
             -   name: Retrieve built PHAR
-                uses: dawidd6/action-download-artifact@v3
+                uses: dawidd6/action-download-artifact@v5
                 with:
                     github_token: ${{secrets.GITHUB_TOKEN}}
                     workflow: release.yaml

diff --git a/composer.lock b/composer.lock
diff --git a/doc/phar-signing.md b/doc/phar-signing.md
@@ -93,9 +93,10 @@ there is ways to void the signature:
 - Replace the signature used. An OpenSSL one will only make it slightly harder as this requires to change an external
   file (the public key), but in the context the attacker could inject code to the PHAR this is unlikely to be a real
   prevention measure.
+- The entire signature check can be disabled via the [PHP ini setting `phar.require_hash`][phar-require-hash].
 
 So to conclude, **this security mechanism CANNOT prevent modifications of the archive itself.** It is **NOT** a reliable
-protection measure.
+protection measure. It is merely a measure to prevent accidentally running a corrupted PHAR.
 
 The good news, there is a solution.
 
@@ -390,5 +391,6 @@ Credits:
 [keys.openpgp.org]: https://keys.openpgp.org/about
 [github-environment-secrets]: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions
 [github-workflow]: https://docs.github.com/en/actions/using-workflows
+[phar-require-hash]: https://www.php.net/manual/en/phar.configuration.php#ini.phar.require-hash
 [phive]: https://phar.io/
 [jar]: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jarGuide.html